CA3205932A1 - Multi-factor authentication employing a wearable mobile device, and access-control systems - Google Patents
Multi-factor authentication employing a wearable mobile device, and access-control systemsInfo
- Publication number
- CA3205932A1 CA3205932A1 CA3205932A CA3205932A CA3205932A1 CA 3205932 A1 CA3205932 A1 CA 3205932A1 CA 3205932 A CA3205932 A CA 3205932A CA 3205932 A CA3205932 A CA 3205932A CA 3205932 A1 CA3205932 A1 CA 3205932A1
- Authority
- CA
- Canada
- Prior art keywords
- user
- access
- secure resource
- credential
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 20
- 208000015181 infectious disease Diseases 0.000 claims description 6
- 230000036541 health Effects 0.000 claims description 5
- 238000005259 measurement Methods 0.000 claims description 4
- 208000035473 Communicable disease Diseases 0.000 claims description 3
- 230000003287 optical effect Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 230000000747 cardiac effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- VJYFKVYYMZPMAB-UHFFFAOYSA-N ethoprophos Chemical compound CCCSP(=O)(OCC)SCCC VJYFKVYYMZPMAB-UHFFFAOYSA-N 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000006213 oxygenation reaction Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000029058 respiratory gaseous exchange Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 210000000707 wrist Anatomy 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
- Lock And Its Accessories (AREA)
- Mobile Radio Communication Systems (AREA)
- Selective Calling Equipment (AREA)
Abstract
A method for providing user access to a secure resource comprising information or physical premises, includes receiving, at a first access-control system controlling access to a first secure resource, a first request from a user to access the first secure resource. The first request has a first user authentication credential. A second request is received, at a second access-control system (i) different from the first access-control system and (ii) controlling access to a second secure resource different from the first secure resource, from the user to access the second secure resource. The second request has a second user authentication credential different from the first user credential. Then it is determined whether to accord the user access to the second resource based on at least (a) the second user credential and (b) whether the first access-control system accorded the user access to the first secure resource based on the first user authentication credential.
Description
MULTI-FACTOR AUTHENTICATION EMPLOYING A WEARABLE
MOBILE DEVICE, AND ACCESS-CONTROL SYSTEMS
Background [0001] This disclosure relates to the field of security systems used to control access to secure premises and computer systems. More specifically, the disclosure relates to systems for controlling access to secure premises, computer systems and applications available from such systems to operate on mobile devices.
MOBILE DEVICE, AND ACCESS-CONTROL SYSTEMS
Background [0001] This disclosure relates to the field of security systems used to control access to secure premises and computer systems. More specifically, the disclosure relates to systems for controlling access to secure premises, computer systems and applications available from such systems to operate on mobile devices.
[0002] Persons authorized to access and use computers or computer systems for which access is restricted only to those authorized by the computer or computer system operator, require that a prospective user be authenticated as a user.
Authentication known in the art includes a user-worn badge or the like with simple ID information on it, biometric scan (fingerprint) by a sensor on signal communication with the computer or computer system and/or password (single or multiple factor) user entry. All the foregoing authentication methods require that the computer or computer system stores personal information about authorized users in order to associate a prospective user with such information to confirm that the prospective user is in fact the person attempting to gain access to the computer or computer system.
Authentication known in the art includes a user-worn badge or the like with simple ID information on it, biometric scan (fingerprint) by a sensor on signal communication with the computer or computer system and/or password (single or multiple factor) user entry. All the foregoing authentication methods require that the computer or computer system stores personal information about authorized users in order to associate a prospective user with such information to confirm that the prospective user is in fact the person attempting to gain access to the computer or computer system.
[0003] In certain instances, storage of personal information concerning prospective users is limited or denied by law or regulation, or exposes the computer or computer system operator to liability in the event of improper disclosure of such personal information.
Summary
Summary
[0004] One aspect of the present disclosure is a method for providing user access to a secure resource comprising information or physical premises. A method according to this aspect includes receiving, at a first access-control system controlling access to a first secure resource, a first request from a user to access the first secure resource. The first request has a first user authentication credential. A second request is received, at a second access-control system (i) different from the first access-control system and (ii) controlling access to a second secure resource different from the first secure resource, from the user to access the second secure resource. The second request has a second user authentication credential different from the first user credential. Then it is determined whether to accord the user access to the second resource based on at least (a) the second user credential and (b) whether the first access-control system accorded the user access to the first secure resource based on the first user authentication credential.
[0005] In some embodiments, the second user credential comprises at least one biometric measurement.
[0006] In some embodiments, the at least one biometric measurement corresponds to a health condition of the user.
[0007] In some embodiments, the health condition comprises infection by a communicable disease.
[0008] In some embodiments, the first user credential is transmitted from a smartphone.
[0009] In some embodiments, the second user credential is transmitted from a user worn security device.
[0010] In some embodiments, the user worn security device comprises at least one biometric sensor.
[0011] Other aspects and possible advantages will be apparent from the description and claims that follow.
Brief Description of the Drawings
Brief Description of the Drawings
[0012] FIG. 1 shows a flow chart of an example embodiment of a method according to the present disclosure.
Detailed Description
Detailed Description
[0013] In a method according to the present disclosure, a user (i.e., a natural person) communicates with a server, computer or computer system. The server, computer or computer system has resident on it, in any form of data storage medium, data and/or applications to be accessed only by particular authorized users. The server, computer or computer system may also control access, such as by operating electronic locks or gates, to a controlled access or otherwise secure facility.
[0014] The communication between the user and the server, computer or computer system may be edge based, cloud based or otherwise, such as by a user terminal proximate entry point to a secure area. The user in a method according to the present disclosure will have in his possession a mobile device, such as a smartphone, to operate applications and/or to access data stored on the computer system, computer or server.
When the user requests access through the server, computer or computer system (e.g., by accessing a user terminal), the server, computer or computer system may return a session registration query. The user then registers the mobile device for an authenticated session by responding to the session registration query. Such response may be made by using the mobile device to scan an optical identification code, such as a QR code, generated and displayed by the server, computer or computer system in response to the user communication.
When the user requests access through the server, computer or computer system (e.g., by accessing a user terminal), the server, computer or computer system may return a session registration query. The user then registers the mobile device for an authenticated session by responding to the session registration query. Such response may be made by using the mobile device to scan an optical identification code, such as a QR code, generated and displayed by the server, computer or computer system in response to the user communication.
[0015] By scanning the optical identification code, the mobile device will generate a signal in response, e.g., a pattern or code on the device's display (which may be optically scanned by the server, computer or computer system), or by communicating a specific SMS text message or radio signal, which when communicated to the computer, computer system or server, temporarily authenticates the mobile device to an access session within the computer, computer system or server. The foregoing device registration may be temporary. The server, computer or computer system operator may set a fixed time duration for the access session and/or close the registration when the access session on the server, computer or computer system is terminated by the user. The server, computer or computer system operator may also program the system (including the server and/or computer system) to terminate the access session registration after a predetermined timeout period in which no user input or commands are entered into the mobile device by the user.
[0016] The mobile device may be further authenticated by entry into a data input field (whether on the mobile device or other session data entry facility) the user's passwords, passcodes, user's biometric information (e.g., fingerprint scan) or other multi-factor authentication methods already set up by the user with respect to the particular mobile device. Such authentication replaces the need for the computer system, computer or server to store user passwords or other authentication data for the particular user or any other user.
[0017] Mobile device authentication can also be performed by linking the authentication method to the user's employer site (company) login facility, a user Google (or social media) account login, a user Microsoft account login, linked or other third party mobile device authentication service. The purpose of the foregoing mobile device authentication is to identify the mobile device as belonging to the particular user, and thus authenticating the user without the need to store personal identification information concerning the user. Only the user would be expected to know the authentication code(s) or have the required biometric properties or information to satisfy any of the foregoing authentication methods. Thus, after the user has authenticated the mobile device to the server, computer or computer system, the authenticated mobile device can then be used to authenticate the optical identification (e.g., QR) code when such code is transmitted by the server, computer or computer system.
[0018] The user will also have in his possession a wearable security device, such as a key fob, wrist band, data card (e.g., photo ID card) on a lanyard, or other wearable security device issued by the system operator entity designated by the system operator.
In some embodiments, the wearable security device comprises a biometric sensor such as may be embedded in a wrist-worn band. The wearable security device may have an embedded radio frequency identification (RFID) tag and an embedded optical identification code such as a QR code. The user presents the wearable security device to the authenticated mobile device to scan the optical identification code embedded in the wearable security device or to interrogate the RFID tag. This action authenticates the wearable security device, temporarily "pairing" it with the authenticated mobile device. The wearable security device can at that point be used temporarily to access a secure computer system, computer or server and/or a secure physical premises, whether using the mobile device or the wearable security device to gain physical access.
In some embodiments, the wearable security device comprises a biometric sensor such as may be embedded in a wrist-worn band. The wearable security device may have an embedded radio frequency identification (RFID) tag and an embedded optical identification code such as a QR code. The user presents the wearable security device to the authenticated mobile device to scan the optical identification code embedded in the wearable security device or to interrogate the RFID tag. This action authenticates the wearable security device, temporarily "pairing" it with the authenticated mobile device. The wearable security device can at that point be used temporarily to access a secure computer system, computer or server and/or a secure physical premises, whether using the mobile device or the wearable security device to gain physical access.
[0019] These actions provide a minimum of a three-way "triangle"
authentication system that reduces the threat of counterfeit access.
authentication system that reduces the threat of counterfeit access.
[0020] This process may be performed by individually linking multiple devices using sensors and device authentication.
[0021] To gain access to a secure premises or to privileged information, the user must have an active wearable security device and/or confirm the optical identification code or RFID tag on the wearable security device and the mobile device.
[0022] In one embodiment, the wearable security device may be one or more forms of a biometric sensing device sold under the trademark SYMP2PASS, which is a trademark registered in Canada of Idea Capital Inc., Edmonton, AB, Canada. The SYMP2PASS
sensor may comprise a radio frequency identification (RFID) tag with an identified, or embedded optical code such as a QR code to identify the specific wearable security device.
sensor may comprise a radio frequency identification (RFID) tag with an identified, or embedded optical code such as a QR code to identify the specific wearable security device.
[0023] The specific wearable security device may be made to correspond to medical information about the wearer without the requirement to obtain stored medical information about the wearer, that is, a specific individual person for whom stored medical information may not be used for purposes such as personal authentication to access a computer, a computer system or a secure facility.
[0024] In one example, the wearable security device may form part of a kit to perform an olfactory sensitivity test, wherein a scent strip is provided with the wearable security device. In another example, a questionnaire may be answered, for example by accessing an Internet site associated with the provider of the wearable security device to which a user responds. Answers to the questionnaire may then associate certain medical diagnoses, such as exposure to a contagious condition, based on the answers to the questionnaire. Thus, the wearable security device will have associated therewith medical information relevant to the particular user of the wearable security device without access to any personal medical information of such user. In another example, one or more biometric sensors may be associated with the wearable security device, such as, and without limitation, a blood oxygenation sensor, a temperature sensor, a cardiac pulse rate sensor, a sphygmomanometer and a respiration rate sensor. Such sensor(s) may have data stored on any form of electronic data storage medium associated with the wearable security device, which data when communicated to a computer or computer system operated by the provider of the wearable security device, may make one or more inferences about the health condition of the user, for example, infection by a communicable disease. Such inference(s) may be communicated to the computer, server or computer system that has authentication required access, or controls access to a secure facility described above.
[0025] An example embodiment of a method and system components used therewith according to the present disclosure are shown in FIG. 1.
[0026] At 10, a wearable security device 20 such as a wristband has embedded information, e.g., concerning an amount of access to secure information that is available by the user having purchased or otherwise obtained access rights, as explained above.
The embedded information may be interrogated and displayed to the user, for example, on a mobile device 30 such as a smartphone, having resident thereon an appropriate application or computer program. At 12, the user may attempt to gain access to the secure information such as at a terminal 40 provided by the system operator.
The terminal 40 as explained above may be in communication with a server, computer or computer system or server whereon resides the secure information. The wearable security device 20 may be presented to the terminal 40 for validation, such as by reading an embedded optical identification code such as a QR code. At 14, the mobile device 30 may be paired with the secure computer system or server by the mobile device scanning an optical identification (e.g., QR) code displayed by the terminal 40 in response to the user entering a request for access. At 16, the wearable security device 20 is validated for use with the mobile device 30 as explained above by validating the embedded identification code on the wearable security device 20. A sample display screen on the terminal 40 is shown on the right hand side of FIG. 1.
The embedded information may be interrogated and displayed to the user, for example, on a mobile device 30 such as a smartphone, having resident thereon an appropriate application or computer program. At 12, the user may attempt to gain access to the secure information such as at a terminal 40 provided by the system operator.
The terminal 40 as explained above may be in communication with a server, computer or computer system or server whereon resides the secure information. The wearable security device 20 may be presented to the terminal 40 for validation, such as by reading an embedded optical identification code such as a QR code. At 14, the mobile device 30 may be paired with the secure computer system or server by the mobile device scanning an optical identification (e.g., QR) code displayed by the terminal 40 in response to the user entering a request for access. At 16, the wearable security device 20 is validated for use with the mobile device 30 as explained above by validating the embedded identification code on the wearable security device 20. A sample display screen on the terminal 40 is shown on the right hand side of FIG. 1.
[0027] In light of the principles and example embodiments described and illustrated herein, it will be recognized that the example embodiments can be modified in arrangement and detail without departing from such principles. The foregoing discussion has focused on specific embodiments, but other configurations are also contemplated. In particular, even though expressions such as in "an embodiment," or the like are used herein, these phrases are meant to generally reference embodiment possibilities, and are not intended to limit the disclosure to particular embodiment configurations.
As used herein, these terms may reference the same or different embodiments that are combinable into other embodiments. As a rule, any embodiment referenced herein is freely combinable with any one or more of the other embodiments referenced herein, and any number of features of different embodiments are combinable with one another, unless indicated otherwise. Although only a few examples have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible within the scope of the described examples. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined in the following claims.
As used herein, these terms may reference the same or different embodiments that are combinable into other embodiments. As a rule, any embodiment referenced herein is freely combinable with any one or more of the other embodiments referenced herein, and any number of features of different embodiments are combinable with one another, unless indicated otherwise. Although only a few examples have been described in detail above, those skilled in the art will readily appreciate that many modifications are possible within the scope of the described examples. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined in the following claims.
Claims (7)
1. A method for providing user access to a secure resource, the secure resource comprising information or physical premises, the method comprising:
receiving, at a first access-control system controlling access to a first secure resource, a first request from a user to access the first secure resource, the first request comprising a first user authentication credential;
receiving, at a second access-control system (i) different from the first access-control system and (ii) controlling access to a second secure resource different from the first secure resource, a second request from the user to access the second secure resource, the second request comprising a second user authentication credential different from the first user credential; and determining whether to accord the user access to the second resource based on at least (a) the second user credential and (b) whether the first access-control system accorded the user access to the first secure resource based on the first user authentication credential.
receiving, at a first access-control system controlling access to a first secure resource, a first request from a user to access the first secure resource, the first request comprising a first user authentication credential;
receiving, at a second access-control system (i) different from the first access-control system and (ii) controlling access to a second secure resource different from the first secure resource, a second request from the user to access the second secure resource, the second request comprising a second user authentication credential different from the first user credential; and determining whether to accord the user access to the second resource based on at least (a) the second user credential and (b) whether the first access-control system accorded the user access to the first secure resource based on the first user authentication credential.
2. The method of claim 1 wherein the second user credential comprises at least one biometric measurement.
3. The method of claim 2 wherein the at least one biometric measurement corresponds to a health condition of the user.
4. The method of claim 3 wherein the health condition comprises infection by a communicable disease.
5. The method of claim 1 wherein the first user credential is transmitted from a smartphone.
6. The method of claim 1 wherein the second user credential is transmitted from a user worn security device.
7. The method of claim 6 wherein the user worn security device comprises at least one biometric sensor.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202063128366P | 2020-12-21 | 2020-12-21 | |
US63/128,366 | 2020-12-21 | ||
PCT/IB2021/062132 WO2022137136A1 (en) | 2020-12-21 | 2021-12-21 | Multi-factor authentication employing a wearable mobile device, and access-control systems |
Publications (1)
Publication Number | Publication Date |
---|---|
CA3205932A1 true CA3205932A1 (en) | 2022-06-30 |
Family
ID=82157536
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA3205932A Pending CA3205932A1 (en) | 2020-12-21 | 2021-12-21 | Multi-factor authentication employing a wearable mobile device, and access-control systems |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP4264579A1 (en) |
AU (1) | AU2021405284A1 (en) |
CA (1) | CA3205932A1 (en) |
WO (1) | WO2022137136A1 (en) |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
IT201800002681A1 (en) * | 2018-02-15 | 2019-08-15 | Archimedetech Srl | IDENTITY AUTHENTIFICATION PROCESS / METHOD WITH THE SENDING AND EXCHANGE OF A TEMPORARY PERSONAL PASSWORD BETWEEN AT LEAST FOUR ELECTRONIC DEVICES FOR SUBSEQUENT TOP-UP, PAYMENT, ACCESS AND / OR IDENTIFICATION OF THE MOBILE OWNER OF A SMARTPHONE |
AU2020102011A4 (en) * | 2020-08-27 | 2020-10-08 | Varnavelias, Izabela MRS | A electronic biometric system |
-
2021
- 2021-12-21 WO PCT/IB2021/062132 patent/WO2022137136A1/en unknown
- 2021-12-21 AU AU2021405284A patent/AU2021405284A1/en active Pending
- 2021-12-21 CA CA3205932A patent/CA3205932A1/en active Pending
- 2021-12-21 EP EP21909678.1A patent/EP4264579A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
EP4264579A1 (en) | 2023-10-25 |
WO2022137136A1 (en) | 2022-06-30 |
AU2021405284A1 (en) | 2023-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230134823A1 (en) | Proximity-Based System for Object Tracking | |
US10171460B2 (en) | Proximity-based system for automatic application or data access and item tracking | |
US11182792B2 (en) | Personal digital key initialization and registration for secure transactions | |
US20210334481A1 (en) | Proximity-Based System for Object Tracking an Automatic Application Initialization | |
US10176312B2 (en) | Fingerprint gestures | |
RU2710889C1 (en) | Methods and systems for creation of identification cards, their verification and control | |
JP5863993B2 (en) | Method, system and computer program for accessing confidential information via social networking web services | |
US10482225B1 (en) | Method of authorization dialog organizing | |
US9946860B1 (en) | Systems and methods for allowing administrative access | |
US20190238552A1 (en) | Providing access to structured stored data | |
CA3205932A1 (en) | Multi-factor authentication employing a wearable mobile device, and access-control systems | |
Khatoon et al. | Integrating OAuth and aadhaar with e-health care system | |
US12081991B2 (en) | System and method for user access using mobile identification credential |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request |
Effective date: 20230620 |
|
EEER | Examination request |
Effective date: 20230620 |