EP3925254A1 - Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée - Google Patents

Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée

Info

Publication number
EP3925254A1
EP3925254A1 EP20724335.3A EP20724335A EP3925254A1 EP 3925254 A1 EP3925254 A1 EP 3925254A1 EP 20724335 A EP20724335 A EP 20724335A EP 3925254 A1 EP3925254 A1 EP 3925254A1
Authority
EP
European Patent Office
Prior art keywords
substitute
interaction
devices
computing device
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP20724335.3A
Other languages
German (de)
English (en)
Inventor
Alexander R. LEDWITH
Wade Benson
Marc J. KROCHMAL
John J. IAROCCI
Jerrold V. Hauck
Michael Brouwer
Mitchell D. ADLER
Yannick L. SIERRA
Libor Sykora
Jiri MARGARITOV
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Apple Inc
Original Assignee
Apple Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/388,831 external-priority patent/US11250118B2/en
Application filed by Apple Inc filed Critical Apple Inc
Publication of EP3925254A1 publication Critical patent/EP3925254A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/33Security of mobile devices; Security of mobile applications using wearable devices, e.g. using a smartwatch or smart-glasses

Definitions

  • the present description relates generally to modifying a security state of a device, including modifying a security state of a device with secured range detection.
  • a trusted device e g , key fobs, mobile devices, wearable devices, etc.
  • a locked target device may automatically unlock in the presence of a trusted device, or may otherwise accept commands from the trusted device (e.g., via user input) to unlock the target device, allowing a user to avoid having to manually interact with the target device to unlock it.
  • Many such devices communicate with each other through various wireless protocols (e.g., Bluetooth, Wi-Fi, etc.) to verily the proximity of the target device before unlocking it.
  • wireless protocols e.g., Bluetooth, Wi-Fi, etc.
  • the communications between the devices are susceptible to attackers who can capture the transmitted data and use it to spoof the proximity of a trusted device without having to break an encryption scheme that is commonly used for such communications
  • RSSI received signal strength indicator
  • an attacker can capture the transmission of the trusted device and amplify the signal to make it appear as though the devices are nearer to each other than they actually are, allowing the attacker to unlock the target device. It is desirable to provide more secure methods for detecting the range of a trusted device before allowing the trusted device to unlock a target device.
  • Figure 1 conceptually illustrates a process for a trusted device to use secure ranging to modify a security state of a target device.
  • Figure 2 illustrates an example of using secure ranging with a trusted deyice to modify the security state of a target device.
  • Figure 3 conceptually illustrates a process for a target device that establishes a connection with a trusted device.
  • Figure 4 conceptually illustrates a process for a trusted device that establishes a connection with a target device.
  • Figure 5 illustrates an example of a target device that establishes a connection with a trusted device.
  • Figure 6 illustrates an example of a trusted device that establishes a connection with a target device
  • Figure 7 conceptually illustrates a process for a proxy device that assists in establishing a connection between a target device and a trusted device.
  • Figure 8 illustrates an example of a proxy device that assists in establishing a connection between a target device and a trusted device.
  • Figure 9 illustrates a sequence diagram for providing secure ranging when unlocking a target device from a trusted device.
  • Figures 10A-B illustrates an example of providing secure ranging when unlocking a target device from a trusted device.
  • Figure 11 conceptually illustrates a process for a trusted device that provides secure ranging to capture sample distance measurements.
  • Figure 12 conceptually illustrates a process for a target device that uses secure ranging with a trusted device to capture sample distance measurements.
  • Figure 13 illustrates an example of primary' and secondary threshold distances from a device
  • Figure 14 conceptually illustrates a process for performing a ranging operation with multiple frequency bands.
  • Figure 15 conceptually illustrates a process for determining whether devices are within a threshold distance of each other, based on a set of message timestamps.
  • Figure 1 illustrates an access-accelerant process that may be performed by an accelerant module of a device.
  • Figure 17 illustrates an example of a substitute interaction that may be provided by a device to allow a user to access the device under one of multiple user accounts on the device.
  • Figure 18 illustrates an example of a substitute interaction by reference to four operational stages of a computing device
  • Figure 19 illustrates an example of a substitute interaction that allows a user to change a setting, in lieu of providing a password to perform the setting change.
  • Figure 20 illustrates another example of a substitute i nteraction that allows a user to change a setting, in lieu of providing a password to perform the setting change.
  • Figure 21 illustrates an example of a substitute interaction for changing a setting on the first device even when the first device is currently being accessed under a user account that does not have privileges for to perform the setting change.
  • Figure 22 illustrates an example of a substitute interaction that allows a password less installation of a program on a device by sending a request to another device to seek authorization for the installation on the device.
  • Figure 23 illustrates an example of a substitute interaction that allows for installing a program on a first device even when the first device is currently being accessed under a user account that does not have privileges for installing the program
  • Figure 24 illustrates an example of enabling two different substitute interactions when a device is at two different distances from a computer.
  • Figure 25 illustrates several modules executing on a device that enable substitute interactions for account-access operations on the device
  • Figure 26 illustrates an example process performed when a second device, which has been enabled for substitute interactions, comes within a first distance of a first device.
  • Figure 27 illustrates a process that may be performed by a device when another device is detected within a particular distance of the device.
  • Figure 28 conceptually illustrates an example of an electronic system with which some embodiments of the subject technology are implemented.
  • Some embodiments of the subject technology provide a method for using a trusted device to modify a security state at a target device (e.g., unlocking the device).
  • the target device is the device to be unlocked, while the trusted device is a device that has been authorized to modify the security state of the target device
  • the target and trusted devices e.g., laptop computers, mobile phones, tablets, etc.
  • the trusted device determines whether the sample distance measurements meet a particular set of criteria (e.g , whether the devices are within a threshold distance), and, when the calculated composite distance measurement meets the set of criteria, exchanges a security' token (or other authorization information) with the target device to modify the security state (e.g., unlock, authorize payment data, etc ) at the target device.
  • modifyi ng the security state includes authorizing a set of restricted operations or providing a higher level of security access at the target device
  • the trusted device is established as a trusted device through an authorization (or pairing) process with the target device
  • the authorization process allows a user to grant the trusted device permission to unlock (or otherwise modify the security state of) the target device.
  • the trusted device of some embodiments receives a security token or other shared secret during the authorization process that can be used in future sessions to modify the security state of the target device.
  • the trusted device can be used to modify the security state of the target device
  • the process for modifying the security state can be initiated by either the target device or the trusted device
  • the device that initiates the process is referred to as the initiating device, while the other device is the non-initiating device.
  • the process of some embodiments can be explicitly initiated by a user (e g., through input at the initiating device) or through implicit actions of the user (e.g., when a user carries a non -initiating device within a particular range of a non-initiating device).
  • the non-initiating device i.e., the device that is waiting for another device to initiate the process continuously (or periodically) announces its availability, making the non-initiating device discoverable by other devices.
  • the initiating device determines that the security state of the target device should be modified (e.g., upon receiving user input)
  • the i nitiating device performs a scan to discover the non-initiating device.
  • a non-i nitiating device does not continuously announce its availability, but rather a proxy device is used to announce the availability/ of the non-initiating device
  • the initiating device of such embodiments scans for and identifies the availability of the non-initiating device (through the announcements of the proxy device).
  • the initiating device then sends a request to the proxy device in some embodiments, the proxy device then sends another request to the non-initiating device to have it announce its own availability for a brief period of time
  • the initiating device then performs a scan to discover the non-initiating device.
  • the initiating device exchanges ranging connection information with the non-initiating device in some embodiments, the ranging connection information (e.g., device identifiers, device state, bootstrap information, etc.) is for establishing a ranging connection between the devices.
  • the ranging connection information identifies a portion of a frequency spectrum that the devices can use for the ranging connection.
  • the ranging connection of some embodiments is used for performi ng ranging operations to determine whether the devices are within a threshold di stance of each other
  • part of the security' protocol for determi ning whether to allow a trusted device to unlock a target device is based on the set of ranging operations (e.g , determining a distance, proximity, etc.).
  • the method of some embodiments uses ranging (e.g., distance, proximity etc.) information to determi ne whether the trusted and target devices are within a specified range of each other before allowing the trusted device to unlock the target device.
  • the trusted device is a trusted device because it shares a shared secret (e.g., through a pairing operation), with the target device.
  • the shared secret of some embodiments is used to secure the ranging operation.
  • the shared secret is a highly secured key that is used for highly sensitive data stored in segregated and secured areas (e g., a Secure Enclave Processor (SEP)) of the devices.
  • SEP Secure Enclave Processor
  • the method does not use the shared secret directly, but rather derives a derived key from the shared secret that can be used for the ranging operation.
  • the method of some embodiments shares the shared secret between the devices by performing a secure secret sharing operation over an unsecured connection.
  • the method of some embodiments uses a Diffie-Hellman exchange to provide for secure and ephemeral shared secrets between the devices.
  • the shared secret of some embodiments is used to generate (e.g., through derivation functions) other shared secrets without having to send any of the secret data between the devices.
  • the various shared values are shared between the devices through a cloud service.
  • the cloud service of some embodiments is associated with a user account that is associated with various devices.
  • the cloud service of some embodiments is then used to share the different shared values for the associated devices.
  • the trusted device of some embodiments exchanges messages (or nonces) with the locked target device, recording timestamps for when the messages are sent and received at each device.
  • the messages that are exchanged between the devices are derived from the derived key (or the shared secret) using different key derivation functions (KDFs) that are used to generate new values.
  • KDFs key derivation functions
  • the KDFs of some embodiments are one-way functions that cannot be used to reveal the original value (i.e., the shared secret), which allow each device to independently generate the same messages without having to have previously sent the messages between the devices.
  • the messages are embedded into calibration signals that are sent through the air at a particular band of the frequency spectrum.
  • the devices then exchange the recorded timestamps for the messages.
  • the timestamps that are exchanged between the devices are encrypted using the derived key (derived from the shared secret), providing a high level of security for the timestamps without using the shared secret directly
  • the devices of some embodiments then use the timestamps to calculate the distances between the devices, determining whether the devices are within a desired proximity of each other For example, in some embodiments, the messages are sent through the air via radio waves which travel at the speed of light. The devices of some such embodiments calculate the distance between the two devices based on how long it takes for a message to travel between the devices (e.g., the time between the sending and receiving of the message) and the speed of light.
  • the method in addition to verifying that the timestamps indicate that the devices are within the desired proximity, the method also performs other verification operations to prevent an attacker from spoofing the location of one or both devices For example, in some embodiments, the method enforces a constraint on the time between the receipt of a first message at the target device and the sending of a second message from the target device. The constraint ensures that the time between the receipt of the first message and the sending of the second message is too short to allow an attacker to use replay attacks that take advantage of clock drift to make the devices appear to be closer together than they really are.
  • the ranging operation is performed to gather several samples of the ranging data, allowing for a more precise and secure determination of the proxi ity of the devices.
  • multiple distance measurement samples are statistically analyzed to generate a composite distance measurement, which is then compared to the threshold distance
  • the devices analyze the distance measurement samples to calculate a confidence level that the device is within a threshold distance. When the confidence level exceeds a threshold value, the devices are deemed to be within an acceptable range.
  • the method determines that the devices are within a desired proximity to each other (or that the ranging i nformation cannot be verified)
  • the method communicates (e.g., through a secured channel over an established connection) with the target device to unlock, or otherwise modify the security state of, the target device.
  • the method unlocks a target device by sending an unlock record (e.g , a secret or a key) that can be used to decrypt a master key at the target device.
  • the unlock record of some embodiments is generated by the target device and sent to the trusted device during a process used for authorizing the trusted device to unlock the target device.
  • the initial connection used for announcing and discovering the availability of a device, the ranging connection used for the ranging operations, and the connection used to communicate the unlock data are different and separate connections.
  • the different connections use different protocols or different methods of communication.
  • the data communicated across a particular connection is actually sent through a separate band of a frequency spectrum or network (e.g , the Internet).
  • communications e.g., requests, ranging information, etc.
  • the secured channels of some embodiments are encrypted using different cryptographic keys
  • Multiple different channels can each operate on different connections or may all operate on a single connection
  • Various references are made connections in this application, but it should be understood that communications over a connection may also be secured through a cryptographic channel.
  • the security of the subject technology of some embodiments requires that the messages are not predictable by an attacker trying to spoof the location of one or both of the devices.
  • the shared secret (and any values derived from the shared secret) are only used for a single ranging operation, so when the method of some embodiments determines that the devices are not within the desired proximity (or that the ranging information cannot be verified), the method discards the shared secret and any shared values (e.g., nonces, derived keys, etc.) and generates a new shared secret before beginning the process again
  • the method performs multiple stages of ranging operations. In addition to performing several ranging operations to generate an accurate distance measurement, the method of some embodiments performs a preliminary ranging operation using a first connection and performs the secure and precise ranging operation using a second connection.
  • the method is performed on a device with hardware that can communicate on multiple bands of a frequency spectrum.
  • a lower-frequency band e.g., due to power requirements, etc.
  • the lower-frequency band may not be able to provide the necessary precision or security required to determine whether the trusted device is near the target device.
  • the method of some such embodiments then performs a first ranging operation using the lower- frequency band, and when the method determines that the devices are within the proxi mity of the lower-frequency band, the method performs a second ranging operation usi ng the high-frequency band to determine whether the devices are within the required range to unlock the target device
  • the first ranging operation uses a different r anging operation from the second set of ranging operations.
  • a first device performs ranging operations to allow a user to access (e.g., to login) the first device under one of several user accounts without providi ng one or more device-access credentials
  • the device-access credentials are secret or semi-secret credentials such passwords, passcodes, biometric input, etc.
  • the first device can also be accessed without providing a username, while in other embodiments, the user has to provide some indication of the user account under which the user wants to access the device.
  • a device-access accelerant module of the first device determines that the second device is associated with a first user account under which a user can access (e.g., can log into) the first device.
  • the accelerant module enables at least one substitute interaction (e.g., a password-less UI interaction) to allow the first device to be accessed without receiving one or more access credentials through a user interface.
  • the accelerant module detects the occurrence of the enabled, substitute i nteraction. In response, the accelerant module directs an authentication module (e.g., a login module) of the first device to allow the first device to be accessed under the first account. In some embodiments, the accelerant module provides to the authentication module a substitute credential (e.g., a secret) in lieu of the first user account access credential(s) (e.g., the account password) in order to direct this module to allow the first device to be accessed under the first user account. In this manner, the first-device’s accelerant module supports more seamless device-access interactions in lieu of user access-credential entry and thereby accelerates device access operations on the first device.
  • an authentication module e.g., a login module
  • the accelerant module provides to the authentication module a substitute credential (e.g., a secret) in lieu of the first user account access credential(s) (e.g., the account password) in order to direct this module to allow the first device to
  • the substitute interaction occurs while the first device is logged into under a second user account
  • this interaction is the selection (e g., cursor selection, tap selection, etc.) of the first user account in a menu that is presented while the first device is being accessed under the second user account.
  • the substitute interaction occurs while the first device displays a login display- screen presentation that shows multiple user accounts.
  • the substitute interaction is a selection (e.g., cursor selection, tap selection, etc.) of the first user account in the login display-screen presentation.
  • the access-accelerant module in some embodiments examines a data store (e.g , a lookup table) that identifies (1) other devices that are associated with the user accounts for accessing the first device, (2) substitute credentials associated with these other devices, and (3) in some cases, usernames associated with these other devices. Based on this examination, the accelerant module in these embodiments can identify a substitute credential for the first account’s user-supplied access credential
  • a data store e.g , a lookup table
  • the first device’s communication layer not only identifies the nearby devices, bur also identifies the account with which each identified device is associated (e.g., that the second device is associated with the first user account).
  • the communication layer passes to the accelerant module an identifier for the first user account, or a value from which the accelerant module can identify the first-user account identifier. Based on this identifier, the accelerant module provides the authentication module the substitute credential for first user account and in some cases the username.
  • the first-device’s accelerant module not only can accelerate device access operations (by supporting more seamless device-access interactions in lieu of user access-credential entry), but also can accelerate other operations on the first device that require the submission of user credentials (e.g , passwords, passcodes, biometric input, usernames, etc ).
  • the accelerant module serves as an authorization-accelerant module. For instance, to change some settings (e.g., privacy settings, account settings, security settings, etc.)
  • the accelerant module in some embodiments enables simpler substitute interactions to change a setting, to install a program, and/or to purchase an item on the first device.
  • the accelerant module of the first device enables these substitute interactions when a second associated device is nearby For instance, some embodiments perform ranging operations on the first device to detect that the second device i s within a particular distance of the first device, so that when the second device is within this distance, the accelerant module can enable the substitute interaction on the fi rst device.
  • the substitute interaction in some embodiments can be (1) the selection of a UI item to perform the operation (e.g , to unlock a change seting), or (2) the entry of a value.
  • the accelerant module provides to an authorization module of the first module a substitute credential in lieu of the user-supplied credential so that the authorization module can authorize the operation for the module that has to perform the operation (e.g., for the module that has to change the setting on the device).
  • the substitute interaction for some operations entails sending a request to the second device to seek authorization for a requested operation, after a UI item is selected on the first device.
  • the second device in some embodiments displays the authorization request with a notification that describes the request and provides controls for accepting or rejecting the request.
  • the accelerant module provides to the authorization module a substitute credential in lieu of a user-supplied credential
  • the authorization module authorizes the requested operation for the first-device module that has to perform the operation (e.g., for the module that has to change the setting on the device, install the program or purchase an item on the first device).
  • the above-described interaction is used in some embodiments to send a request to change a setting, install a program or purchase an item from a computer (e.g., laptop or desktop) to a smartwatch that is associated with an
  • the accelerant module can enable substitute interactions on the first device even when the first device is currently being accessed under a user account that does not have privileges for the requested operation. For instance, while a second user account is logged into the first device, a user might try to change a setting, install a program or purchase an item on the first device, which cannot be done by providi ng the login credentials of the second user account in these cases, the accelerant module of the first device in some embodiments can send a request to a second device to approve the desired operation (e.g , the change to the setting, the installation of the program, the purchase of the item, etc.) when the second device is within a particular distance of the first device and the second device is associated with the first user account
  • the desired operation e.g , the change to the setting, the installation of the program, the purchase of the item, etc.
  • the accelerant modul e of the first device does not need to determine that the second device is within a particular range of the first device, before sending the second device a request to approve certain substitute interactions on the first device. This is because in these embodiments the first device sends such request whenever it detects that the second device is available for direct peer-to-peer connection with the first device through the short-range transceivers (e g., Bluetooth transceivers, WiFi transceivers, etc.) of the first and second devices.
  • a di ect peer-to-peer connection between two devices is a peer-to-peer connection that does not have to go through any other intervening electronic device outside of the two devices. Accordingly, in these embodiments, the first device does not need to perform any ranging operations to determi ne that the second device is withi n certain proximity of the first device, before the first-device accelerant module can send an authorization request to the second device
  • the accelerant module of the first device can enable different sets of substitute interactions when the second device is within different ranges of distances from the first device. For instance, when the second device is within a first distance range of the first device the accelerant module enables a first set of substitute interactions on the first device, in lieu of a second set of interactions on the first device, to perform a first set of operations on the first device. When the second device is within a closer, second distance range of the first device, the accelerant module enables a third set of substitute interactions on the first device, in lieu of a fourth set of interactions on the first device, to perform a second set of operations on the first computing device.
  • the second distance range is subsumed in the first distance range in some embodiments As such, both sets of substitute interactions are enabled when the second device is within the second distance range i n these embodiments. Also, the accelerant module disables these substitute interactions when the second device falls outside of first range This module also disables the second set of substitute interactions when the second device falls outside of the second range.
  • the substitute i nteractions in some embodi ents are more seamless (e.g., are faster or require less input from a user) than when the device is within the farther, first distance range.
  • a user in some embodiments can log into an account on the computer through a single stroke input on a peripheral component (e.g , cursor controller, keyboard, etc.) of the computer.
  • a peripheral component e.g , cursor controller, keyboard, etc.
  • the watch is a little farther from the computer, one user on the computer requests an operation (e.g., the change to a setting, the installation of a program, the purchase of an item) and another user on the 'watch has to approve th s request.
  • the accelerant module in some embodiments receives, from a network interface layer of the first device, a notification that the second device is within a first distance of the first device.
  • This notification includes data regarding the operating mode of the second device.
  • the accelerant module determines whether the operating mode meets a set of criteria for allowing the second device to enable a first substitute interaction on the first device in place of a second interaction that requires a user to provide one or more credentials.
  • the accelerant module directs the network interface layer to terminate a connection session or atempted connection session with the second devi ce.
  • the accelerant module When the operating mode meets the set of criteria, the accelerant module enables the fi rst interaction in lieu of the second interaction for performing an operation on the first device.
  • the set of criteria associated with the operating mode of the watch in some embodiments include whether the watch is wrapped around the user s hand, and is currently unlocked.
  • Some embodiments allow' a user to modify the security state of a target device (e.g., unlocki ng) based on a relationship (e.g., proximity, paired devices, etc.) with a trusted device.
  • Figure 1 conceptually illustrates a process for a trusted device to use secure ranging to modify a security state of a target device.
  • the process 100 of some embodiments is performed by one of the target (e.g., the device whose security state is to be modified) and trusted (e.g., the device authorized to modify the security state) devices
  • process 100 is initiated at a proxy device that assists the trusted and target devices to find each other.
  • the initiating device e.g., the target or trusted device
  • initiates the process 100 with a non-initiating device e.g., the trusted or target device to modify the security state of the target device.
  • process 100 begins by initiating (a 105) the security state change for the target device.
  • the initiation of the security state change of some embodiments is performed by the target device (i.e., the device that is to be unlocked), while in other embodiments, the state change is initiated by the trusted device.
  • the initiating device sends a request to the non-initiati ng device to initiate the security state change.
  • the security state change is initiated through explicit user interactions (e.g., keyboard input, voice commands, opening the lid of a laptop computer, etc.), while in other embodiments, the security state change is initiated through implicit interactions (e.g., moving within a discoverable range, changing the state at the initiating device from locked to unlocked, etc.) between the target and trusted devices.
  • the explicit user interactions of some embodiments require a user to authenticate themselves with the device (e.g., via a password, biometric data (e.g., via a fingerprint sensor)).
  • the initiation of the security state change is initiated by other devices (e.g., location detection based on cameras and/or sensors), which communicate with the initiating device to begin the security state change.
  • the process 100 establishes (at 1 10) an initial connection between the trusted and target devices.
  • the initial connection uses a secure, standardized wireless protocol (e.g., Bluetooth) to discover the other device and establish the initial connection .
  • the process 100 of some embodiments uses the initial connection to exchange (at 1 15) ranging connection information (e.g., bootstrap information) used to set up a ranging connection (e.g , over WiFi) between the devices
  • ranging connection information e.g., bootstrap information
  • a ranging connection e.g., over WiFi
  • the ranging connection is a wireless channel that is used to exchange ranging information (e.g., through a seri es of ranging operations) in order to determine whether the target and trusted devices are within a particular range
  • the ranging connection of some embodiments is encrypted to protect the exchanged ranging information from potential atackers
  • the process 100 performs (at 125) a ranging operation to capture a sample distance measurement between the trusted and target devices.
  • the process 100 uses several sample distance measurements to determine whether the devi ces are in range of each other, allowing for a more precise and secure determination of the proximity of the devices.
  • the process 100 determines whether to capture more samples.
  • the process returns to step 110 to perform another ranging operation to capture another sample distance measurement.
  • the process 100 when the ranging operation is precise and secure enough, the process 100 only performs (at 125) a single ranging operation. For example, when the clocks of the trusted and target devices are synchronized, it may not be necessary to gather many samples. However, even in such cases, the capture of multiple samples may allow the devices to more precisely determine the distance between the devices. For example, in some embodiments, the use of multiple distance measurement samples can provide an accuracy of plus or minus a single meter.
  • the process 100 determines (at 130) that no more samples are needed, the process 100 of some embodiments then performs a set of tests (e.g., as a part of a security protocol) to determine whether to authorize the change in security state of the target device In some embodiments, the process 100 determines whether the devices are within range, whether one or both of the devices have received consent for the security state change, etc
  • process 100 determines (at 135) whether the devices are within the desired range based on the captured sample distance measurements.
  • the multiple distance measurement samples are statistically analyzed to generate a composite distance measurement, which is then compared to the threshold distance.
  • the devices analyze the distance measurement samples to calculate a confidence level that the device is within a threshold distance. When the confidence level exceeds a threshold value, the devices are deemed to be within an acceptable range.
  • process 100 determines (at 135) that the devices are within the desired range
  • the process 300 determines (at 140) whether the user has indicated consent. For example, in some embodiments, process 100 provides a prompt for a user at one of the devices, requesting consent to modify the security state of the target device.
  • User consent may be explicit (e.g., through direct user interaction) or implicit (e g., trusted device is in an unlocked state) in some embodiments, the explicit consent requires simple approval (e.g , a response to a prompt), while in other embodiments the explicit consent requires authentication (e.g., passkey, biometric data (e.g , via a fingerprint sensor), etc.) of a user at a device.
  • explicit consent e.g., through direct user interaction
  • implicit e.g., trusted device is in an unlocked state
  • the explicit consent requires simple approval (e.g , a response to a prompt)
  • authentication e.g., passkey, biometric data (e.g , via a fingerprint sensor), etc.
  • the initiation (at 105) of the security state change serves as consent for the initiating device.
  • the process 100 then only determines (at 140) whether the user has indicated consent for the non-initiating device.
  • process i 00 determines (at 140) whether user consent is indicated for both the initiating device and the non-i nitiating device, after the ranging operations have completed.
  • determining consent after the ranging allows the security state change to seem more responsive as the ranging has already been completed before any user consent is requested.
  • process 100 checks for user consent before any of the ranging operations are performed. This allows the devices to avoid performing any unnecessary ranging operations.
  • the process 100 exchanges (at 145) the authorization information through a secured (e.g., encrypted) channel
  • the secured channel of some embodiments uses a highly-secured encryption key to encrypt communications in order to protect the authorization information.
  • the authorization information e.g., unlock information, security keys, payment data, etc.
  • the secured channel is established over the initial connection established at step i 10. In oilier embodiments, the secured channel is established over a separate, different connection.
  • the initial connection used for announci ng and discovering the availability of a device, the ranging connection used for the ranging operations, and the connection used to communicate the authorization data are different and separate connections.
  • the different connections use different protocols or different methods of communication (e.g . bands of a frequency spectrum wireless protocol s, etc.).
  • the data communicated across a particular connection is actually sent through a separate band of a frequency spectrum or network (e.g., the internet).
  • the initial connection uses a first wireless protocol to provide ease of discovery and reduced power requirements
  • the ranging connection uses a second wireless protocol for the precision of the wireless frequency and security' features.
  • FIG. 2 illustrates an example of using secure rangi ng with a trusted device to modify the security state of a target device
  • the first stage 201 shows a trusted device 210 (e g., a smart watch, wearable device (e.g.. head-mounted, arm mounted, waist mounted, ear mounted, chest mounted, and the like), mobile phone, wireless headset, tablet, etc.) and a target device 220 (e.g , a laptop computer, mobile phone, tablet, etc.)
  • the trusted device 210 of some embodiments is a device that is authorized to make changes in the security' state of target device 220.
  • target device 220 sends request 250 to the trusted device 210 over an initial connection (indicated with a solid line).
  • the request 250 of some embodiments is sent when the user initiates the security process (either explicitly or implicitly) from the target device 220.
  • the request 250 includes bootstrap information to set up a ranging connection used for exchanging ranging information
  • a ranging connection (depicted with a dashed line) has been set up between the trusted and target devices 210 and 220.
  • the second stage 202 also shows that ranging information 255 is exchanged between the devices over the rangi ng connection.
  • the ranging information 255 allows one or both of the devices 210 and 220 to compute the distance between the two devices.
  • the ranging information includes multiple sample distance measurements that are further analyzed to determine the distance between the two devices.
  • the third stage 203 shows that both the target device 220 and the trusted device 210 use range calculators 228 and 218 to analyze the exchanged ranging information 222 and 212.
  • the trusted and target devices determine whether to continue with the security state change operation based on the calculated ranges.
  • the exchange of the ranging information 255 and the range calculations are described in further detail below.
  • the fourth stage 204 show's that the trusted device 210, after determining that the devices are within an acceptable range, sends unlock key 260
  • the unlock key 260 of some embodiments is used to unlock the target device 220
  • Various examples in this application are described with reference to an unlocking operation with an unlock key, but it should be understood by one skilled in the art that the novelty of the subject technology is not limited to such an unlocking operation.
  • the unlocking operation may refer to any shift in security state at a target device, based on a relationship with a trusted device
  • the authorization information is sometimes referred to as a key
  • the authorization information may include various different types of information
  • the authorization informati on of some embodiments is a key used to decrypt information (e.g., sensitive information, a master key, etc.) stored on the target device, while in other embodiments the authorization information is encrypted sensitive data (e g., payment information, user data, etc.). This allows the sensitive information to only be stored on the trusted device and only provided to the target device when the trusted device is within range.
  • the operation moves the target device from a high-level security state to a lower-level security state
  • the target device remains locked during the shift, but the lower-level security state provides additional access to information on the target device.
  • the target device provides minimal notifications on a lock screen (i e , the displayed screen when the device is locked) in the higher-level security state, where any potentially sensitive information is hidden until the device is unlocked.
  • the target device By shifting to the lower-level security state (e.g., in the presence of a trusted device), the target device of some embodiments provides a user of the target device with access to more sensitive information for the notifications (e.g., text excerpts, senders, etc.)
  • the different security states allow' a trusted device to lower the security requirements for accessing the target device.
  • a target device that normally requires an alphanumeric password can be configured to require a simpler pin code.
  • the trusted device and the security state shift are used to provide access to an application or to sensitive data within an application (e.g., browser histories, auto-fill data, credit card information, etc.) when the trusted device is within the particular range
  • the shift in security state can be initiated by either the target device or the trusted device.
  • the shift of some embodiments begins by using an initial connection to establish a ranging connection.
  • the initial connection of some embodiments is a secure, standardized wireless connection method (e.g., Bluetooth pairing) that is ubiquitous and efficient
  • the established initial connection is then used to exchange ranging connection information, which is used to establish a ranging connection.
  • the ranging connection is used to exchange ranging information to determine whether the target and trusted devices are within a particular range.
  • F ure 3 conceptually illustrates a process for a target device that establishes a ranging connection with a trusted device.
  • the process 300 begins with a trusted device that announces (at 305) its availability.
  • the process 300 of some embodiments announce the availability of a device by broadcasting the trusted device’s identifier, which allows the target device to determine whether it can modify the security state of the trusted device.
  • the target device then optionally receives (at 310) input (explicitly or implicitly) to request the security state change.
  • input explicitly or implicitly
  • the request (or consent) for the security state change is not obtained until after the ranging connection is established and the ranging operation is completed.
  • the target device then scans (at 315) for the trusted device Once the target devi ce has identified the trusted device from the scan, it sends (at 320) a request for authorization i nformation that allows the target device to modify its security state (e g., unlock change in security state, etc.).
  • the target device also sends (at 320) bootstrap information to set up the ranging connection for performing ranging operations between the target and trusted devices.
  • the trusted device receives (at 325) the secure state change request along with the bootstrap information and sends (at 330) bootstrap information back to the target device
  • the bootstrap information includes state information (e g., available bands of a wireless frequency spectrum) for each device
  • the target device receives the bootstrap information of the trusted device.
  • the target and trusted devices then establish (at 340 and 345) the ranging connection between the devices.
  • the ranging connection is then used for the ranging process, as described i n further detail below.
  • FIG. 4 conceptually illustrates a process for a trusted device that establishes a ranging connection with a target device
  • the process 400 begins with a target device that announces (at 405) its availability.
  • the process 400 of some embodiments announce the availability of a device by broadcasting the target device’s identifier, which allows the trusted device to determine whether it can modify the security state of the target device.
  • the trusted device then scans (at 410) for the target device. Once the trusted device has identified the target device from the scan, it sends (at 415) a request for a security state change (e.g , unlock, change in security levels, etc.) at the target device.
  • a security state change e.g , unlock, change in security levels, etc.
  • the trusted device also sends (at 415) bootstrap information to set up a ranging connection for performing ranging operations between the trusted and target devices.
  • the target device receives (at 420) the secure state change request along with the bootstrap information and sends (at 425) bootstrap information back to the trusted device.
  • the bootstrap information includes state information (e.g., available bands of a wireless frequency spectrum) for each device.
  • the trusted device receives the bootstrap information of the target device.
  • the trusted and target devices then establish (at 435 and 440) the ranging connection between the devices.
  • the ranging connection is then used for the ranging process, as described in further detail below.
  • Figures 5 and 6 illustrate examples of initiating the ranging connection from the target and trusted devices respectively.
  • Figure 5 illustrates an example of a target device that establishes a connection with a trusted device in two stages 501 and 502.
  • the first stage 501 shows a laptop computer 510 (i.e., target device) and a watch 520 (i.e., trusted device).
  • the watch 520 is shown announcing its availability.
  • the first stage 501 also shows that a user provides input (e.g., tapping a key, opening the lid of the laptop computer 510, etc.) to initiate a ranging process.
  • the second stage 502 shows that the devices have established (through processes such as those described above with reference to Figures 3 and 4) a wireless ranging connection.
  • FIG 6 illustrates an example of a trusted device that establishes a ranging connection with a target device in two stages 601 and 602,
  • the example of this figure shows the laptop computer 510 (i.e., target device) and watch 520 (i.e,, trusted device) of Figure 5
  • the laptop computer 510 announces its availability
  • the watch 520 does not receive any input, but rather moves closer to the laptop computer 510
  • the second stage 602 shows that the wireless ranging connection has been established (through processes such as those described above with reference to Figures 3 and 4)
  • continuously announcing the availability of a trusted device requires significant power from the trusted device.
  • the initial connection (and the announcing of the availability of the trusted device) are assisted using a proxy device, which may be more suited for continuously announcing the availability of the trusted device
  • FIG. 7 conceptually illustrates a process for a proxy device that assists in establishing the initial connection between a target device and a trusted device.
  • the process 700 begins by establishing (at 705) a connection with the trusted device.
  • This connection is different from the initial connection described in the examples above, as this connection is between the proxy device and the trusted device, while the initial connection is a connection between the trusted device and the target device.
  • the process of this figure is used to prepare the target and trusted devices to set up the initial connection.
  • the connection between the proxy device and the trusted device of some embodiments is a long-lived connection that is maintained for continuous communications between the devices.
  • the connection is a Bluetooth connection (or channel) between a mobile phone and a watch where the connection is maintained for communications between the devices for as long as the devices remain within range of each other.
  • the process 700 then detects (at 710) the availability of the trusted device. In some embodiments, the process 700 merely detects whether the connection with the device is still active, while in other embodiments, the process 700 detects additional information, such as a security state (e.g., locked, unlocked, authorized, etc.). Once the process 700 determines that the trusted device is available, the process 700 broadcasts (at 715) the availability of the trusted device so that a target device can identify the availability of the trusted device. The process 700 then receives (at 720) a first request fro the target device for a connection between the target and trusted devices.
  • a security state e.g., locked, unlocked, authorized, etc.
  • the process 700 then sends (at 725) a second request to the trusted device to establish the initial connection, as described above with reference to Figures 1 and 1.
  • second request is a request to have the trusted device begin broadcasting its own availability for a short period of time.
  • the prosy device forwards the first request (with or without any bootstrap information) to the trusted device.
  • the trusted device of some such embodiments initiates the connection with the target device, either using the bootstrap information of the second request, or by broadcasting its own availability.
  • FIG. 8 illustrates an example of a proxy device that assists in establishing a connection between a target device and a trusted device.
  • the first stage 801 show's the target device 510 and trusted device 520 of Figure 5.
  • This example also shows a proxy device 830.
  • the target device 510 is a laptop computer
  • the trusted device 520 is a watch
  • the proxy device 830 is a mobile phone.
  • the first stage 801 also shows that trusted device 520 and proxy device 830 maintain a connection (indicated by a dashed line), In this example, rather than the target or trusted devices announcing their availability, the proxy device 830 announces the availability of the trusted device 520.
  • the first stage 801 also shows that the user initiates the unlock operation, sending a request 850 to the proxy device 830
  • the proxy device 830 sends another request 855 to the device.
  • the request 855 is used to have the trusted device begin announcing its availability for a short period of time, while in other embodiments, the request 855 includes information that the trusted device needs to establish the ranging connection with the target device 510.
  • the third stage 803 shows that a ranging connection has been established between the target device 510 and the trusted device 520.
  • the third stage 803 also shows that devices exchange range data 860 as part of a ranging process.
  • the ranging process is described in further detail below with reference to Figures 9-12.
  • the target device 510 determines that the trusted device 520 is within the acceptable range, and has been unlocked. A secure method for determining that the devices are with the acceptable range is described below.
  • the target and trusted devices use a secure ranging operation to determine whether the devices are within a desired range.
  • the ranging operation needs to be secured to prevent an attacker from spoofing the devices to make them appear closer than they really are.
  • the security protocols of some embodiments use messages to provide secure ranging information between a trusted device and a target device, allowing the devices to determine whether they are within a specified range of each other before allowing the trusted device to unlock the target device.
  • Figure 9 illustrates a sequence diagram that describes an overview for providing secure ranging when unlocking a target device from a trusted device A more in-depth description of the various elements and steps for providing secure ranging are described with reference to Figures 10-12.
  • the sequence 900 of this figure illustrates a sequence of communications between a trusted device and a target device.
  • the sequence 900 begins by establishing a shared secret channel 905 (e.g., encrypted using cryptographic keys) between the trusted device and the target device
  • a shared secret channel 905 e.g., encrypted using cryptographic keys
  • the sequence 900 shows that the trusted device sends a message (e.g., a nonce or other short-lived token) Ni to the target device.
  • the target device processes Nl, verifying that the value of Nl is the value that the target expected to receive from the trusted device.
  • the target device may also decrypt the signal or perform other operations (e.g , Fourier transformations) on the received message.
  • the target device then responds by sending a second different nonce, N2, back to the trusted device at time T3.
  • sequence 900 also sho ws the times at which the nonces N1 and N2 are sent and received. More specifically, nonce N1 is sent by the trusted device at time T1 and received by the target device at time 12, Nonce N2 is sent by the target device at time T3 and received by the trusted device at time 14. In some embodiments, the trusted and target devices record timestamps when the nonces N1 and N2 are sent and received by each device,
  • a particular nonce is received at multiple times at the receiving device This may occur when a wireless signal is reflected off of other surfaces or around obstructions A signal may lose strength as it travels through an obstruction (e.g., a wall), while a reflected signal is largely unimpeded. In such a case the strongest signal to a device is not necessari!y the first signal that is received at the device. However, in order to get the most accurate determination of the proximity of a device, the receiving devices of some embodiments identify a timestamp for the first received signal, rather than the strongest signal.
  • the devices then exchange the timestamps recorded at each device in order to calculate the time of flight for the nonces N1 and N2 between the devices.
  • the trusted device sends timestamps T 1 and T4 to the target, while target sends timestamps T2 and T3 back to the trusted device.
  • the timestamps are exchanged in a single operation after the exchange of the nonces, some embodiments send the timestamps to the other device as soon as they are recorded.
  • the target sends timestamp T2 back to the trusted device before sending nonce N2.
  • the trusted device and the target device then verify the exchanged timestamps to determine whether the devices are within a certain proximity of each other and whether the exchanged tim estamps can be trusted in some embodiments, only one of the devices performs the verification process. However, in preferred embodiments, both the trusted device and the target perform the verification process before allowing the target device to be unlocked.
  • sequence 900 shows that trusted device sends an unlock message 960 to the target device over the shared secret channel 905.
  • the unlock message 960 allows the target device to be unlocked.
  • the unlock message 960 is a secret that is shared with the trusted device during a pairing operation or an authorization operation in which the trusted device is granted the authority to unlock the target device.
  • the unlock message 960 of some embodiments is a key that was sent to the trusted device during the pairing operation by the target device.
  • the master key is derived by the target device from a passcode (or other authentication information) that is used to unlock the target device. The target device can build a token by encrypting the master key with the unlock message, so that when the trusted device returns the unlock message (after the secure ranging operation) to the target device, the target device can use the unlock message to decrypt the token to retrieve the master key and unlock the target device.
  • each of the channels operates over multiple different connections. In some embodiments, multiple different channels are used for the ranging process.
  • the process of some embodiments uses the high-security shared secret channel 905 to communicate the unlock message 960, but uses a separate ranging channel 915 based on a key derived from the shared secret to communicate the timestamps for the different nonces.
  • the ranging channel 915 of some embodiments is a secured channel established over the established ranging connections described above.
  • the unlock message 960 and the timestamps 950 and 955 are sent through the same channel
  • the nonces in some embodiments are sent through the ranging channel 915 (i.e., encrypted with the derived key), while in other embodiments the nonces are sent unencrypted through the air through a particular connection 910 (e.g., a particular band of radio frequencies).
  • the particular connection 910 is a high-frequency connection that allows for a precise determination of the proximity of the devices.
  • FIG. 10A-B illustrates an example of providing secure ranging when unlocking (or otherwise modifying the security state of) a target device from a trusted device in seven stages 1001-1007.
  • the first stage 1001 shows a trusted device 1010 and a target device 1020.
  • the devices 1010 and 1020 are connected with a secured channel 1030,
  • secured channel 1030 represents communications between the devices that are encrypted with a shared secret SS that is shared between the devices.
  • the SS is stored in a memory 1012 of the trusted device 1010 and in a memory 1022 of the target device 1020.
  • the shared secret is a highly secured system secret that is used to protect highly sensitive data that is communicated between the trusted devices 1010 and 1020
  • some embodiments provide a secure enclave processor (SEP) within the processor architecture that provides heightened levels of security for the sensitive data in a segregated and secure area of the hardware and/or software of the devices.
  • SEP secure enclave processor
  • the ranging data used for the ranging operation of some embodiments does not use the shared secret directly (i.e., is not sent through secured channel 1030), hut rather uses the shared secret to generate (e.g., through derivation functions) other shared values that is used for encrypting and verifying the sources of the ranging data.
  • the shared secret for the secured channel 1030 is shared between the devices by performing a secure secret sharing operation over an unsecured channel.
  • the method of some embodiments uses a Dlffie-Hellman exchange to provide for secure and ephemeral shared secrets between the devices.
  • the shared secret and/or the various shared values are shared betwee the devices through a cloud service (e.g., iCloud).
  • the cloud service of some embodiments is associated with a user account that is associated with various devices.
  • the cloud service of some embodiments is then used to share the different shared values for the associated devices. The use of the cloud service to share secrets will be further described below
  • the second stage 1002 shows devices 1010 and 1020 with key delivers 1015 and 1025 respectively.
  • the key derivers of some embodiments represents a module that, given a common input, generates another pseudo-random key or value (e.g., using a key derivation function). In some embodiments, the key derivers apply a one-way function to the input, which cannot be undone to reveal the original input.
  • key derivers 1015 and 1025 each take the shared secret as input and generate a derived key DK1 . Because key derivers 1015 and 1025 use the same derivation function at both devices 1010 and 1020, the same derived key DK1 is stored at both devices. In this manner, shared values can be generated at each of the devices without having to send them between the devices. [0128] In some embodiments, in addition to the derived key, the key derivers 1015 and 1025 are used to derive nonces N1 and N2 In some embodiments, the key deliver only uses the shared secret for deriving the derived key, and any other values (e.g., the nonces) are then derived from the derived key DK1.
  • the nonces are derived directly from the shared secret SS.
  • some embodiments use different derivation functions to generate the different nonces. In this way, the nonces cannot be predicted by an attacker, so the attacker cannot generate a false ranging signal
  • Nonces N1 and N2 of some embodiments are sent on a signal that is transmitted between the devices.
  • nonces N1 and N2 are used by the receiving device to verify that the sender of the nonce is a trusted partner for the communication. An attacker would not be able to independently generate nonces N1 and N2 without access to the high security shared secret.
  • this example shows that the key derivers 1015 and 1025 derive the derived key DK1 and nonces N1 and N2 in a single step, the key derivers of some embodiments generate the derived key and nonces as they are needed (e.g, for encrypting, sending, verifying, etc.).
  • the third stage 1003 shows that the derived key DK1 is used to set up a ranging channel 1040.
  • the ranging channel of some embodiments is used to send various data (e.g, nonces, timestamps, etc.) used for the ranging operation between the devices.
  • Trusted device 1010 sends a nonce N1 1050 to the target device 1020 through the ranging channel 1040
  • the trusted device 1010 also records a timestamp T1 at the time when the nonce N1 is sent.
  • the nonce is shown as being sent over the ranging channel (i.e, encrypted with the derived key DK1 ), however, in some embodiments the nonces are sent unencrypted through the air at a particular frequency that is set apart for communication between the devices.
  • the signal is a calibration signal that is used to set up communication (direction, band, etc.) between the devices and the nonce (e.g, a 53-bit nonce) is encoded in a frequency shape that can be analyzed and decoded.
  • the encoded signal represents an accumulation of sine waves which the receiver can analyze (e.g, using Fourier transforms) to retrieve the nonce as a binary output.
  • target device 1020 has received and verified nonce N1 against the nonce N1 derived with key deriver 1025 and stored at memory 1022 of the target device 1020.
  • target device 1020 records timestamps T2 and T3. Timestamp T2 marks the time when N1 is received at target device 1020, while timestamp T3 marks the time when N2 1055 is sent from the target device 1020 to the trusted device 1010.
  • nonce N2 was derived with nonce N1 and the derived key DK1, but in some embodiments, the nonce N2 is not derived until the nonce N1 received from the trusted device 1010 is verified
  • the fifth stage 1005 shows that the devices 1010 and 1020 exchange the timestamps T1-T4 through the ranging channel 1040.
  • Trusted device 1010 sends timestamps T1 and T4 1065 (the times when N1 was sent and N2 was received) to the target device 1020.
  • Target device 1020 sends timestamps T2 and T3 1060 (the times when nonce N1 was received and nonce N2 was sent) to the trusted device 1010.
  • the sixth stage 1006 shows that devices 1010 and 1020 use the timestamps T1-T4 to calculate the range or proximity of the devices to each other.
  • the devices of some embodiments then use the timestamps to calculate the distances between the devices, determining whether the devices are within a desired proximity' of each other.
  • the messages are sent through the air via radio waves which travel at the speed of light.
  • the devices of some such embodiments calculate the distance between the two devices based on how long it takes for a message to travel between the devices (e.g., the time between the sending and receiving of the message) and the speed of light.
  • the range calculation further calculates a ratio of Responder frequency to Initiator frequency (rRI) to get better precision for the range calculations by identifying an offset of the communicating frequency between the two devices.
  • rRI Responder frequency to Initiator frequency
  • One or more of the range calculators 1018, 1028 of such embodiments calculates the time of flight between the devices as:
  • Time of flight 1/2 ((t4- tl) - (t3-t2)) * rRI
  • the rRI is used because an offset may result from minor manufacturing variances (within manufacturing tolerances) in the devices and may cause the devices to miscalculate the actual distances between the devices. Some embodiments calculate the rRI by comparing a recei ved signal with a local signal to identify any offset. However, when the rRI is used to calculate the range, an active relay-and-repeat man in the middle (MiTM) attack can sample all protocol packets and ranging waveforms transmited by one of the devices and repeat them at a slower frequency to the other authentic device. This introduces an artificial increase in the rRI, which can cause the devices to appear to be closer to each other than they actually are.
  • MiTM man in the middle
  • the range calculator ensures that rRI is within a particular range (e.g., within a reasonable tolerance range for manufacturing variances).
  • the range calculator limits the time (t3-t2) which limits the amount of TOF gain that an attacker can capture using such an attack.
  • a likelihood ratio (or, e.g., a log-likelihood ratio) test is employed.
  • a likelihood ratio or, e.g., a log-likelihood ratio
  • the likelihood ratio computes the ratio of the composite probabilities of being either inside or outside of a proximity based on an input set of ranges (e.g., the range measure ents) and the modeled distributions.
  • the ratio may then be compared to a threshold to determine the resuit of the unlock decision.
  • the distance between the two devices may not be directly computed.
  • the threshold may not be presented in terms of a distance. Determining whether devices are within range based on wireless signals is further described in U.S. Patent Application 15/272,892, entitled“Unlocking a Device” U.S Patent Application 15/272,892 is incorporated herein by reference.
  • the method in addition to verifying that the timestamps indicate that the devices are within the desired proximity, the method also performs other verification operations to prevent an attacker from spoofing the location of one or both devices. For example, in some embodiments, the method enforces a constraint on the time between the receipt of a first message at the target device (T2) and the sending of a second message from the target device (T3). The constraint ensures that the time between the receipt of the first message and the sending of the second message is too short to allow an atacker to use replay attacks that take advantage of clock drift to make the devices appear to be closer together than they really are. In some embodiments, the constraint is a percentage of the required accuracy of the clock frequency for the communicated signals to be communicated between the devices.
  • the seventh stage 1007 shows that trusted device 1010 sends an unlock record 1070 through the secured channel 1030.
  • the unlock record 1070 is a secret or a key that can be used to securely recover (e.g., decrypt) a master key at the target device.
  • the master key of some embodiments is used by the target device 1020 to unlock other keys and secure data that can be used to unlock and provide access to the target device 1020.
  • the unlock record 1070 of some embodiments is generated by the target device 1020 and sent to the trusted device 1010 during a pairing or authorization process used for authorizing the trusted device to unlock the target device,
  • the shared secret and/or the various shared values in some embodiments are shared between the devices through a cloud service (e.g,, iCloud).
  • a cloud service e.g, iCloud
  • both the trusted device e.g., the watch
  • the target device e.g., the computer
  • a cloud-based storage account e.g., an iCloud account
  • TAA two factor authorization
  • each of these devices places its public Auto Unlock Identity into a cloud-synchronized keychain.
  • the trusted device is provisioned (i.e., is enabled) for unlocking the target device, a secure link is established by using the Auto Unlock Identities.
  • the target device creates a random one-time use unlock secret and transmits it to the trusted device over the link.
  • the secret is stored on the trusted device and can only be accessed when the trusted device is unlocked.
  • the user’s password is neither the master entropy nor the new secret.
  • the target device uses Bluetooth Low Energy to create a connection to the trusted device.
  • a secure link is then established between the two devices using the shared keys used when the trusted device was first provisioned (i.e., enabled) for unlocking the target device.
  • the two devices then use peer-to- peer Wi-Fi and a secure key derived from the secure link to determine the distance between the two devices. If the devices are within range, the secure link is then used to transfer the pre-shared secret to unlock the target device.
  • the target device replaces the current unlock secret with a new one-time use unlock secret and transmits the new unlock secret to the trusted device over the link.
  • the nonces are not derived from a key, but rather are shared by one of the devices with the other device.
  • the nonces are shared through a cloud storage based on a common user account that is associated with both devices.
  • the nonces are shared between the devices over the secured channel, prior to the ranging operation.
  • the derived key for the ranging channel in the examples above does not have to be derived from the shared secret, but can be shared through other means (e.g., Diffie-Hellman) or may use no key at all.
  • FIG 11 conceptually illustrates a process for a trusted device that provides secure ranging to capture sample distance measurements.
  • the process 1100 of some embodiments is performed by a trusted device (e.g,, a watch, a mobile phone, key fob, etc.) that is used to unlock another device (e.g., a laptop, a desktop computer, a tablet, etc ).
  • a particu!ar device operates as both a trusted device for a first set of devices and as a target device for a second set of devices.
  • the process 1100 begins by sharing (at 1105) a shared secret.
  • the process 1100 then derives (at 1 110) a derived key for encrypting and exchanging ranging data.
  • the ranging data of some embodiments includes the timestamps for when the different nonces are sent between the devices.
  • the ranging data of some embodiments includes a set of nonces that are sent with ranging signals between the devices to allow a receiving device to confirm the identity of the sender of a ranging signal
  • the process 1100 then derives (at 1115) a nonce for the trusted device.
  • the trusted- device nonce allows a target device to verify that the nonce came from the trusted device (e.g, because it has also generated the same nonce).
  • the process 1100 then sends (at 1120) the trusted-device nonce to the target device and records the sent time (Tl).
  • the process 1100 receives a target nonce from the target device and records the received time (T4) The process 1100 then determines (at 1130) whether the target nonce is a valid target nonce. For example, in some embodiments, the process 1100 determines (at 1130) that the target nonce is valid when it matches a nonce generated at the trusted device (e.g., derived from a common derived key).
  • a nonce generated at the trusted device e.g., derived from a common derived key
  • the process 1100 determines (at 1130) that the target nonce is not valid, the process 1100 returns to step 1105 and shares (at 1105) a new secret to restart the ranging process. As it is important for a particular nonce to only he sent once, the process 1100 of some embodiments shares (at 1105) a new shared secret every time the ranging operation fails. While some embodiments may allow a shared secret to be used for more than one ranging operation, this can allow an attacker to capture the nonces and to replay them to trick a device into believing that the device Is closer that it really is.
  • the shared secret (and any values derived from the shared secret) are only used for a single ranging operation, so when the method of some embodiments determines that the devices are not within the desired proximity (or that the ranging information cannot be verified), the method discards the shared secret and any shared values (e.g , nonces, derived keys, etc.) and generates a new shared secret before beginning the process again.
  • the process 1100 determines (at 1130) that the target nonce is valid, the process 1100 records (at 1 135) the sample distance measurement and ends.
  • FIG. 12 conceptually illustrates a process for a target device that uses secure ranging with a trusted device to capture sample distance measurements.
  • the process 1200 of some embodiments is performed by a target device when a trusted device (e.g., a watch, a mobile phone, key fob, etc.) is used to unlock the target device (e.g.. a laptop, a desktop computer, a tablet, etc.).
  • a particular device operates as both a trusted device for a first set of devices and as a target device for a second set of devices.
  • the process 1200 begins by sharing (at 1205) a shared secret with the trusted device.
  • the process 1200 then derives (at 1210) a derived key for encrypting and exchanging ranging data.
  • the ranging data of some embodiments includes the timestamps for when the different nonces are sent between the devices.
  • the ranging data of some embodiments includes a set of nonces that are sent with ranging signals between the devices to allo a receiving device to confirm the identity of the sender of a ranging signal.
  • the process 1200 then receives (at 1215) a nonce from the trusted device and records the received time (T2).
  • the trusted-device nonce allows the target device to verify that the nonce came from a trusted device (e.g., because it has also generated the same nonce).
  • the process 1200 determines (at 1220) whether the trusted-device nonce is valid. For example, in some embodiments, the process 1200 determines (at 1220) that the trusted-device nonce is valid when it matches a corresponding nonce generated at the trusted device (e.g., derived using a same derivation function from a common derived key).
  • the process 1200 determines (at 1220) that the trusted-device nonce is not valid, the process 1200 returns to step 1205 and shares (at 1205) a new secret to restart the ranging process. As it is important for a particular nonce to only be sent once, the process 1200 of some embodiments shares (at 1205) a new shared secret every time the ranging operation fails. While some embodiments may allow a shared secret to be used for more than one ranging operation, this can allow an atacker to capture the nonces and to replay them to trick a device into believing that the device is closer that it really is.
  • the process 1200 determines (at 1220) that the trusted-device nonce is valid, the process 1200 generates (at 1225) a target nonce.
  • the target nonce allows a trusted device to verify that the generated nonce came from the target device (e.g, because it has also generated the same nonce).
  • the process 1200 sends the generated target nonce to the trusted device and records the sent time (T3).
  • the process 1200 then records (at 1235) the sample distance measurement.
  • the process 1200 ends.
  • the process is repeated several times to collect multiple sample distance measurements.
  • the processes 1100 and 1200 of some embodiments generates a new shared secret for each sample distance measurement, while in other embodiments, the same shared secret is used for all the sample distance measurements, but new keys and nonces are derived for each sample.
  • the collected sample measurements are then used to determine whether the two devices are within the required range, as described below' with reference to
  • the ranging operations are performed in a number of stages.
  • the devices of some embodiments have hardware that can communicate on multiple bands of a frequency spectrum.
  • it is desirable to use a lower-frequency band e.g, due to power requirements
  • the lower-frequency hand may not be able to provide the necessary precision required to determine whether the trusted device is near the target device.
  • the different bands may provide different minimum threshold resolvable differences with different threshold distances.
  • Figure 13 illustrates an example of primary and secondary threshold distances from a device, This figure shows a target device 1305 that is to be unlocked. This figure is used to illustrate different distances used for a dual band ranging operation, and is described with reference to Figure 14.
  • Figure 14 conceptually illustrates a process for performing a ranging operation with multiple frequency bands,
  • the process 1400 begins by performing (at 1405) a ranging operation with a first lower-frequency band.
  • the lower-frequency band may be used to determine (at 1410) whether a trusted device is within a secondary threshold distance 1315 (e.g., not die primary threshold distance used determine whether the devices are in the necessary proximity to each other), but may not specifically distinguish where the trusted device is within the secondary threshold distance 1315
  • the ranging operation of some embodiments is similar to the operations described above, but as it cannot yet determine whether the other device is within the primary threshold distance 1310, the process 1400 does not unlock the device yet.
  • the ranging operation performed with the lower-frequency band is similar to the operations described above, but in other embodiments, the lower-frequency band uses a different ranging operation from the higher-frequency band.
  • the preliminary ranging operation of some embodiments is available as a part of a wireless protocol standard.
  • the ranging operation of the lower-frequency band uses a received signal strength indicator (RSSI) to determine that the device is within the secondary threshold distance 1315.
  • RSSI uses signal strength to get an imprecise distance measurement.
  • RSSI can be vulnerable to spoofing attacks that amplify legitimate signals to make devices appear to be closer to each other than they truly are, RSSI is less secure than the exchange of nonces, but is also simpler to implement and consumes less power.
  • a less secure preliminary ranging operation is used to determine whether to perform the more secure secondary ranging operation.
  • the process 1400 determines (at 1410) that the other device is not within the first (secondary') threshold distance
  • the process 1400 ends
  • the process 1400 determines (at 1410) that the other device is within the secondary threshold distance
  • the process 1400 performs (at 1415) a second, more preci se and secure, ranging operation (as those described above with reference to Figures 9-12) with a second frequency band.
  • the second frequency band of some embodiments is a higher-frequency band that provides the requisite precision to determine (at 1420) whether the devices are within a primary threshold distance.
  • the secondary and primary' threshold di stances 1315 and 1310 are determined based on the frequencies of the different band.
  • the process 1400 determines (at 1420) that the other device is not within the primary threshold distance
  • the process 1400 ends.
  • the process 1400 determines (at 1420) that the other device is within the primary threshold distance
  • the process 1400 sends an unlock message through a secured channel (at 1425), as described in the examples above.
  • the process 1400 then ends.
  • the devices of some embodiments use secure ranging information to determine whether the trusted and target devices are within a specified range of each other before allowing the trusted device to unl ock the target device. An example of the process for actually calculating whether the devices are within a certain proximity is described below.
  • the trusted and target devices determine whether another device is within a particular range or proximity based on a set of ranging data exchanged between the devices.
  • Figure 15 conceptually illustrates a process for determining whether devices are within a threshold distance of each other, based on a set of message timestamps (e.g., timestamps exchanged over a derived channel as described above).
  • the process 1500 is performed by both the target and trusted devices during a security shift process.
  • the process 1500 records (at 1505) sent and received timestamps for ranging nonces.
  • the process of sending and receiving the nonces, and recording timestamps for the sent and received times, is described above with reference to Figures 11 and 12.
  • the process 1500 exchanges (at 1510) timestamps for when the nonces are sent and received with the other device. For instance, in the examples above, a trusted device sends the time that the first nonce is sent and the time that the second nonce is received, while a target device sends the time that the first nonce is received and the time that the second nonce is sent.
  • the sent and received timestamps are encrypted over a ranging channel (e.g., using a derived key).
  • the process 1500 determines whether the timestamps fall within a set of time constraints set for the security policy for the ranging operation. For example, in some embodiments, the process 1500 determines (at 1515) whether the time between the receipt of the first nonce and the sending of the second nonce fall within an allowed range of time. By constraining the allowed range of time between the receipt and sending of the nonces, the devices can prevent dock drift attacks that may attempt to take advantage of drift in the system clocks of the devices. [0167] When the process 1500 determines (at 1515) that the timestamps do not fit within the designated time constraints, the process proceeds to step 1545, described below.
  • the process 1500 calculates (at 1520) the time ranges between the sent and received times for the nonces sent between the devices.
  • the calculated ranges indicate the amount of time required for the nonce to travel between the devices.
  • several sample distance measurements are captured before calculating any of the distance measurements.
  • the process 1500 determines whether to capture more samples. When the process 1500 determines (at 1525) that more samples are needed, the process returns to step 1505 to perform another ranging operation to capture another sample distance measurement. The process 1500 then analyzes (at 1530) the sample distance measurements (or timestamps) from the sample ranging operations to determine whether the devices are within a particular range.
  • the process 1500 determines (at 1535) whether the analysis of the sample distance measurements indicates that the other device is within a threshold distance.
  • the threshold distance of some embodiments is identified based on the frequency for the band through which the nonces are communicated. For example, in some embodiments, the threshold distance is a multiple of the minimum resolvable distance.
  • the process 1500 determines (at 1535) that the other device is not within the threshold distance, the process 1500 establishes (at 1545) that the devices may not be within the desired range and ends.
  • the process 1500 determines (at 1535) that the other device is within the threshold distance, the process 1500 establishes (at 1540) that the devices are within the particular range and the process 1500 then ends.
  • secure ranging is used in conjunction with other aspects of a security protocol in order to securely use a trusted device to modify the security state of a target device.
  • a first device performs ranging operations to aiiow a user to access (e.g., to login) the first device under one of several user accounts without providing one or more device-access credentials.
  • the device-access credentials are secret or semi-secret credentials such passwords, passcodes, biometric input, etc.
  • the first device can be accessed without providing a username, while in other embodiments, the user has to provide a username or some other indication of the user account under which the user wants to access the device.
  • a device-access accelerant module of the first device determines that the second device is associated with a first user account under which a user can access (e.g., can log into) the first device.
  • the accelerant module enables at least one substitute interaction (e.g, one password-less interaction) to allow the first device to he accessed without receiving one or more access credentials through a user interface.
  • the accelerant module detects the occurrence of the enabled, substitute interaction.
  • the accelerant module directs an authentication module (e.g, a login module) of the first device to allow the first device to he accessed under the first account.
  • the accelerant module provides to the authentication module a substitute credential (e.g, a secret) in lieu of the first user account access credential(s) (e.g, the account password, passcode, biometric input, etc.) in order to direct this module to allow the first device to be accessed under the first user account.
  • a substitute credential e.g, a secret
  • the first user account access credential(s) e.g, the account password, passcode, biometric input, etc.
  • FIG. 16 illustrates an access-accelerant process 1600 that the accelerant module of the first device performs in some embodiments of the subject technology. As shown, this process starts (at 1605) in some embodiments when a communication layer (e.g, a Bluetooth layer) of the first device notifies the accelerant module that a second device is within a first distance of the first device.
  • the communication layer in some embodiments performs ranging operations that search for nearby devices that transmit their availability on certain
  • the coramiinication layer finds such a device, it determines whether the device is within a prescribed distance and has been enabled for simplifying access to the first device (e.g., whether the second device has been paired with the first device). If the identified device has not been so enabled, or is not within the prescribed distance, the communication layer does not report it to the accelerant module. However, if it has been enabled and is within the prescribed distance, the communication layer reports the identified device to the accelerant module. Below, the identified device is referred to as the second device, and the prescribed distance is referred to as the first distance.
  • the accelerant process 1600 identifies a first user account under which a user can access (e.g., can log into) the first device through a substitute interaction that is available because of the proximity of the second device.
  • the accelerant process enables the substitute interaction to allow' the first device to be accessed without receiving one or more access credentials (e.g,, a password or passcode) for the first user account through a user interface of the first device.
  • the process 1600 maintains this substitute interaction enabled until it receives notification that the second device is no longer within the first distance of the first device.
  • the accelerant process 1600 then receives (at 1620) an indication from the first device’s I/O (input/output) interface layer that the enabled substitute interaction has occurred.
  • the accelerant process directs (at 1625) an authentication module (e.g., a login module) of the first device to allow the first device to be accessed under the first account.
  • the accelerant module provides to the authentication module a substitute credential (e.g., a secret) in lieu of the first user account access credential(s) (e.g., the account password) in order to direct this module to allow the first device to be accessed under the first user account.
  • the process 1600 ends.
  • the accelerant module provides the same substitute credential to the authentication module to direct this module to allow' access iwo or more user accounts when the secondary devices associated with these user accounts are nearby.
  • the accelerant module provides different substitute credential(s) to the authentication module to access the first device under different accounts.
  • the accelerant process 1600 has to identify (at 1610) the substitute credential for the first user account (associated with the first and second devices), in order to provide (at 1625) this substitute credential to the authentication module.
  • the accelerant process also provides the first account’s username along with this substitute credential.
  • the accelerant process does not need to provide the first account’s username as the user’s action identifies the first user account under which the user wants to access the device (e.g., the user’s selection the first user account in a presentation displayed by the first device)
  • the access-accelerant process 1600 examines a data store (e.g., a lookup table) that identifies (1) other devices that are associated with the user accounts for accessing the first device, (2) substitute credentials associated with these other devices, and (3) in some cases, usernames associated with these other devices. Based on this examination, the accelerant module in these embodiments can identify a substitute credential for the first account’s user-supplied access credential.
  • a data store e.g., a lookup table
  • the first device’s communication layer not only identifies the nearby devices, but also identifies the account with which each identified device is associated (e.g.. that the second device is associated with the first user account).
  • the communication layer passes to the accelerant module an identifier for the first user account, or a value from which the accelerant module can identify the first-user account identifier. Based on this identifier, the accelerant module provides the authentication module the substitute credential for first user account and in some eases the username.
  • Figure 17 illustrates an example of a substitute interaction that a computer 1700 provides in some embodiments to allow' a user to access the computer under one of the computer’s several user accounts. This example is illustrated in terms of three operational stages 1702, 1704 and 1706 of the computer. Also, in this example, the computer 1700 has two user accounts, one for John and another for Jane.
  • the first stage 1702 shows the display screen of the computer 1700 displaying an access-screen presentation 1710 that presents selectable identifiers 1720 and 1725 for the John and Jane accounts.
  • the computer displays this presentation when no user account is currently logged in, or when the display screen has been locked to prevent unauthorized access to the computer under one or more logged in accounts.
  • the first stage 1702 also shows the selection of John’s account identifier 1720 through a cursor click operation that John performs through the cursor controller 1735 and its associated cursor 1730. As shown,
  • the computer 1700 detects that a watch that is associated with one of the user accounts of the computer is nearby (i.e., is within a particular distance) and this watch is wrapped around a person’s hand, the computer’s access-accelerant module (not shown) enables a substitute interaction for allowing John to access more quickly the computer.
  • the substitute interaction is the selection of the John account identifier 1720 in the access-screen presentation 1710.
  • the computer unlocks the displayed presentation to show a desktop page 1760 that is associated with the John’s user account, as depicted in Figure 17 by stage 1706 and the transition from stage 1702 to stage 1706. If this account was not logged into at 1702, the computer 1700 performs a login operation when it transitions from 1702 to 1706.
  • the first-device’s accelerant module not only can accelerate device access operations (by supporting more seamless device-access interactions in lieu of user access-credential entry), but also can accelerate other operations on the first device that require the submission of user credentials (e.g, passwords, passcodes, biometric input, usernames, etc ).
  • the accelerant module serves as an authorization-accelerant module. For instance, to change some settings (e.g.. privacy settings account settings, security settings, etc.) on a device, it is quite common to require a password, passcode or biometric input from a user. Similarly, it is quite common to require such input to install a program on a device or to purchase an item through the device.
  • the accelerant module in some embodiments enables simpler substitute interactions to change a setting, to install a program, and/or to purchase an item on the first device.
  • the accelerant module of the first device enables these substitute interactions when a second associated device is nearby. For instance, some embodiments perform ranging operations on the first device to detect that the second device is within a particular distance of the first device, so that when the second device is within this distance, the accelerant module can enable the substitute interaction on the first device.
  • the substitute interaction in some embodiments can be (1) the selection of a UI item to perform the operation (e.g., to unlock a change setting), or (2) the entry of a value.
  • the accelerant module provides to an authorization module of the first module a substitute credential in lieu of the user-supplied credential so that the authorization module can authorize the operation for the module that has to perform the operation (e.g., for the module that has to change the setting on the device).
  • Figure 19 illustrates an example of a substitute interaction that a computer 1700 provides in some embodiments to allo w a user to change a setting, in lieu of providing a password to perform this operation. This example is illustrated in terms of three operational stages 1902, 1904 and 1906 of the computer.
  • the first stage 1702 shows the display screen of the computer 1700 displaying a desktop page 1760 that is associated with John’s user account. As shown, this page shows a security setting display area 1912 that has a firewall setting 1914 that can be enabled or disabled.
  • the first stage further shows a selection of a seting lock status identifier 1905 through a cursor click operation that John performs through the cursor controller 1735 and its associated cursor 1730. As shown, John performs this selection operation while wearing his watch 1740 around his wrist.
  • the setting Sock status identifier 1905 indicates a locked state at the time that it is selected. This locked status indicates that the firewall setting 1914 cannot be changed as this setting has been locked.
  • the computer 1700 in Figure 17 is illustrated as displaying a desktop page 1760 that is associated with John’s user account that includes a security setting display area 1912 with a firewall setting 1914.
  • the subject technology is not limited to desktop pages associated with a user account.
  • the subject technology is also applicable to user interfaces of applications such as web browsers, document editors and the like.
  • the subject technology may be applicable to a user interface, e g , of a web browser, that allows a user to view a list of their passwords and/or allows a user to enter their stored login information on a web page.
  • the selection of setting unlock option 1905 would cause the computer’s display presentation to transition from 1902 to 1904, where it would present a credential-entry di play window 1750 to receive the John’s account password. Only after receiving this password, the computer would transition to stage 1906, which shows the setting lock changed to an unlock status to indicate that the firewall setting 1914 can now be changed in the setting display page 1760.
  • the computer 1700 allows John to change the status identifier from a Socked state to an unlock state by simply selecting it in the stage 1902 to transition to stage 1906. This is because in this example, the computer 1700 detects that John’s watch (which is associated with one of the user accounts of the computer) is nearby and is wrapped around a person’s hand. These detected conditions cause the computer’s access-accelerant module (not shown) to enable a substitute interaction for allowing John to change the status of the setting lock status identifier. In this example, the substitute interaction is the selection of this identifier 1905.
  • the substitute interaction for some operations entails sending a request to the second device to seek authorization for a requested operation, after a U! item Is selected on the first device.
  • the second device in some embodiments displays the authorization request with a notification that describes the request and provides controls for accepting or rejecting the request.
  • the accelerant module provides to the authorization module a substitute credential in lieu of a user-supplied credential.
  • the authorization module authorizes the requested operation for the first-device module that has to perform the operation (e.g., for the module that has to change the setting on the device, install the program or purchase an item on the first device).
  • the above-described interaction is used in some embodiments to send a request to change a setting, install a program or purchase an item from a computer (e.g., laptop or desktop) to a smartwatch that is associated with an
  • the accelerant module can enable substitute interactions on the first device even when the first device is currently being accessed under a user account that does not have privileges for the requested operation. For instance, while a second user account is logged Into the first device, a user might try to change a setting, install a program or purchase an item on the first device, which cannot be done by providing the login credentials of the second user account.
  • the accelerant module of the first device in some embodiments can send a request to a second device to approve the desired operation (e.g, the change to the setting, the installation of the program, the purchase of the item, etc.) when the second device is within a particular distance of the first device and the second device is associated with the first user account.
  • the accelerant module of the first device does not need to determine that the second device is within a particular range of the first device, before sending the second device a request to approve certain substitute interactions on the first device. This is because in these embodiments the first device sends such request whenever it detects that the second device is available for direct peer-to-peer connection with the first device through the short-range transceivers (e.g , Bluetooth transceivers, WiFi transceivers, etc.) of the first and second devices.
  • a direct peer-to-peer connection between two devices is a peer-to-peer connection that does not have to go through any other intervening electronic device outside of the two devices.
  • Figures 20-23 illustrate several examples of substitute interaction that involve sending a request to a second device to seek authorization for a requested operation on a first device.
  • Figure 20 illustrates a setting-change example like the setting-change example of Figure 19
  • John’s selection of the setting lock status identifier 1905 does not cause the computer to transition to stage 1906 due to the proximity and on-wrist status of John’ s watch.
  • the proximity and on-wrist status of John’s watch causes the computer send a notification 2050 to John’s watch to seek authorization for unlocking the setting lock 1905, as shown by the transition from stage 1902 to stage 2004 in Figure 20.
  • the computer also displays the credential-entry display window 1750 to receive the John’s account password.
  • Stage 2004 shows John approving the unlocking of the setting lock 1905 by tap selecting“Yes” in the notification displayed on the watch.
  • this approval causes the computer to transition to stage 1906, which shows the setting lock changed to an unlock status to indicate that the firewall setting 1914 can now be changed in the setting display page 1760.
  • John may also be able to approve of unlocking the setting lock via his watch by manually interacting with one or more buttons, such as physical and/or hardware buttons, and/or providing voice commands, on the watch.
  • the watch may include a side button that John may press a number of consecutive times, such as two times (e.g. double click), in order to approve of unlocking the seting lock via his watch.
  • John may use one or more buttons on the watch to approve of any of the operations described herein.
  • the computer 1700 in the example of Figure 20 sends the notification to John’s watch because it performs ranging operations to determine that the watch is within a prescribed distance of the computer. In other embodiments, the computer 1700 in this example sends this notification to John’s watch because the watch is dose enough to establish short-range wireless, direct peer-to-peer connection between the computer and the watch (e.g., direct, peer-to-peer Bluetooth connection between the computer and the watch).
  • direct peer-to-peer connection e.g., direct, peer-to-peer Bluetooth connection between the computer and the watch.
  • Figure 21 presents an example that illustrates that the accelerant module in some embodiments can enable a substitute interaction for changing a setting on the first device even when the first device is currently being accessed under a user account that does not have privileges for the requested operation.
  • the example illustrated in this figure is like the example illustrated in Figure 20, except that the request to unlock the setting lock 1905 is made in a first stage 2102 while Jane is logged into the computer 1700.
  • the computer at 2104 displays a credential-entry display window 2150 that asks her to provide a username and password for a user account that has administrative privileges for the requested operation.
  • the computer also sends a notification to John’s watch to seek authorization for unlocking the setting lock 1905, as the computer determines that the watch is nearby and is on wrist.
  • the computer 1700 performs ranging operations to determine that the John’s watch is nearby (i.e., to determine that the watch is within a prescribed distance of the computer). In other embodiments, the computer 1700 determines that the watch is nearby as the watch is dose enough to establish short-range wireless, direct peer-to-peer connection with the computer.
  • the notification on John’s watch is a substitute interaction for allowing a setting to be changed on the computer 1700.
  • Stage 2104 shows John approving the unlocking of the setting lock 1905 by tap-selecting“Yes” in the notification displayed on the watch. As shown, this approval causes the computer to transition to stage 2106. which shows the setting lock changed to an unlock status to indicate that the firewall setting 1914 can now be changed in the setting display page 1760 while Jane is logged into the computer 1700.
  • Figure 22 illustrate an example of allowing a password-less installation of a program on the computer 1700 by sending a request to a watch to seek authorization for this operation on the computer.
  • This example is similar to the example illustrated in Figure 2Q, except that the example in Figure 22 relates to installing a program and not changing a setting on the computer 1700, Accordingly, the example in this figure starts with John selecting a program package 2212 in a first stage 2202 to start the process for installing tire program on the computer.
  • This selection cause the computer to transition to 2204, where it presents the credential-entry display window 1750 to receive the John’s account password, in order to authorize the requested installation.
  • the computer also sends a notification 2140 to John’s watch to seek authorization for installing the program, as the computer determines that the watch is nearby and is on wrist.
  • the computer 1700 performs ranging operations to determine that the John’s watch is nearby (i.e., to determine that the watch is within a prescribed distance of the computer). In other embodiments, the computer 1700 determines that the watch is nearby as the watch is close enough to establish short-range wireless, direct peer-to-peer connection with the computer.
  • the notification on John’s watch is a substitute interaction for allowing the program to be installed on the computer 1700.
  • Stage 2204 shows John approving the installation of the program by tap-selecting“Yes” in the notification displayed on the watch. This approval directs the computer to Install the program, as indicated by stage 2206, which shows the program installed on the computer
  • Figure 23 presents an example that illustrates that the accelerant module in some embodiments can enable a substitute interaction for installing a program on the first device even when the first device is currently being accessed under a user account that does not have privileges for installing a program.
  • the example illustrated in this figure is like the example illustrated in Figure 22, except that the request to install the program is made in a first stage 2302 while Jane is logged into the computer 1700
  • the computer at 2304 displays a credential-entry display window 2150 that asks her to provide a username and password for a user account that has administrative privileges for the requested operation.
  • the computer also sends a notification to John’s watch to seek authorization for installing the program, as the computer determines that the watch is nearby and is on wrist.
  • the computer 1700 performs ranging operations to determine that the John’s watch is nearby (i.e., to determine that the watch is within a prescribed distance of the computer).
  • the computer 1700 determines that the watch is nearby as the watch is dose enough to establish short-range wireless, direct peer-to-peer connection with the computer, [0210]
  • the notification 2140 on John’s watch is a substitute interaction for allowing the program to be installed on the computer 1700.
  • Stage 2304 shows John approving this installation by tap-selecting“Yes” in the notification displayed on the watch.
  • This approval directs the computer to install the program, as indicated by stage 2206, which shows the program installed on the computer.
  • the accelerant module of the first device can enable different sets of substitute interactions when the second device is within different ranges of distances from the first device. For instance, when the second device is within a first distance range of the first device, the accelerant module enables a first set of substitute interactions, in lieu of a second set of interactions, for performing a first set of operations on the first device. When the second device is within a closer, second distance range of the first device, the accelerant module enables a third set of substitute interactions, in lieu of a fourth set of interactions on the first device, to perform a second set of operations on the first device.
  • the second distance range is subsumed in the first distance range in some embodiments. As such, both sets of substitute interactions are enabled when the second device is within the second distance range in these embodiments. Also, the accelerant module disables these substitute interactions when the second device falls outside of first range. This module also disables the second set of substitute interactions when the second device falls outside of the second range.
  • the substitute interactions in some embodiments are more seamless (e.g., are faster or require less input from a user) than when the device is within the farther, first distance range.
  • a user in some embodiments can log into an account on the computer through a single stroke input on a peripheral component (e.g., cursor controller, keyboard, etc.) of the computer.
  • a peripheral component e.g., cursor controller, keyboard, etc.
  • one user on the computer requests an operation (e.g., the change to a setting, the installation of a program, the purchase of an item) and another user on the watch has to approve this request in some embodiments.
  • Figure 24 illustrates an example of enabling two different substitute interactions when a watch is at two different distances from a computer. This example is illustrated in three sections 2405, 2410, and 2415, with each section showing two operational stages of the computer 1700 and the watch 1740.
  • the first stage 2402 of the first section 2405 shows the watch 1740 on John’s wrist as (1) the computer displays an access-display presentation that only identifies John’s user account and (2) John presses the space bar 2422 on the keyboard 2424 of the computer 1700
  • this interaction with the space bar while John’s watch is on wrist and nearby directs the computer to present John’s desktop page (i.e., to login into John’s account or to unlock the locked display screen to allow access to John’s account).
  • the interaction with the space bar is the substitute interaction for providing John’s password.
  • the access-accelerant module of the computer 1700 enabled this substitute interaction for John’s account when the computer detected that John’s watch was nearby and on- wrist.
  • TSie access-accelerant module disables this substitute interaction for John’ s account when the computer detects that either John’s watch is no longer nearby (i.e., is no longer with a prescribed distance) or is not affixed to a person.
  • An example of thi is illustrated in the second section 2410. Specifically, the first stage 2406 of the second section 2410 shows John’s watch far away from the computer, as Jane presses the space bar 2422 while the computer displays John’s user account identifier on an access-display presentation. The second stage 2408 shows that Jane’s interaction with the space bar had no effect. It did not cause the computer to login under John’s account or to unlock the locked screen under John’s account. This is because the access-accelerant module disabled the space-bar substitute access interaction for John’s account, once John’s watch moved away from the computer by more than the prescribed distance.
  • John’s watch is at a distance d2 from the computer 1700.
  • the third section 2415 illustrates that at the farther distance d2, the access-accelerant module of the computer can enable a substitute interaction for installing programs on the computer even though it has disabled the space-bar substitute access interaction, which requires the watch to be in closer proximity.
  • the first stage 2412 of this section illustrates Jane trying to install a program while she is logged into the computer under her account. As she does not have administrative privileges to install programs on the computer, the access-accelerant module of the computer sends an approval request for this installation to John’s watch, which is on-wrist and within a prescribed range to approve such an operation.
  • the second stage 2414 shows John approving this installation. It also shows this program installed on the computer.
  • Figure 25 illustrates several modules executing on a first device that enable different substitute interactions for performing different operations on the first device.
  • an access accelerator 2505 enables the substitute interactions when a second device is nearby and is available for facilitating these substitute interactions.
  • the substitute interactions provide different ways for login into the first device, unlocking a locked-screen presentation on the first device, unlocking a locked setting on the first device, installing a program on the first device, and purchasing an item on the first device.
  • the modules of Figure 25 include an authentication manager 2510, a communication manager 2515, an input manager 2520, a settings manager 2525, a program install manager 2530, a login manager 2535, a lock-screen manager 2540, and a purchasing manager 2545.
  • the communication manager 2515 includes one or more drivers that interface with one or more short-range transceivers (not shown) of tlie first device.
  • a transceiver is the Bluetooth transceiver of the first device.
  • the communication manager 2515 also includes a range calculator (not shown) that iteratively performs the above-described ranging operations to continuously search for nearby devices that have been enabled for supporting substitute interaction on the first device.
  • these ranging operations determine whether an enabled second device is within a first distance for enabling a fi rst set of substitute interactions for a first set of operations on the first device, or is within a closer, second distance for enabling a second set of substitute interactions for a second set of operations on the first device.
  • the range calculator of the communication manager When the range calculator of the communication manager identifies a second device that is within the first or second distance of the first device, it provides a notification to the access accelerator 2505 with data that the second device provides regarding its availability for supporting the substitute interactions. For instance, in some embodiments is deemed available when its availability data indicates that the watch is currently attached to a person (e.g., wrapped around a user’s wrist) and is unlocked and is not on a charger.
  • the accelerator 2505 When the access accelerator 2505 receives a notification from the communication manager 2515 that the second device is within the first or second distance of the first device, the accelerator 2505 analyzes the second-device availability data that accompanies this notification to determine whether the current device is currently available for supporting the substitute interactions on the first device. When the access accelerator 2505 determines that the second device is not currently available (e.g., determines that the watch is not attached to a person, is locked and/or is on a charger), the accelerator directs the communication manager to terminate a connection with the second device if it has established a connection with it,
  • the access accelerator 2505 determines that the second device is currently available (e.g., determines that the watch is atached to a person, unlocked and not on a charger), and is within a first distance or a second distance of the first device, the accelerator enables a first set or a second set of substitute interactions associated with the reported first or second distance of the second device.
  • Each enabled substitute interaction is associated with at least one input that is received through an input interface of the first device.
  • the accelerator 2505 registers with the input manager 2520 to receive the interaction’s associated input when the input manager receives it through an input interface of the first device.
  • the substitute interactions are all substitutes for providing user-authentication data that is needed to authorize an operation, such as unlocking a locked setting value, logging into a computer, unlocking a locked display screen presentation, installing a program or purchasing an item
  • the authentication manager 2510 is responsible for authorizing any of these operations for the settings manager 2525, a program install manager 2530, a login manager 2535, a lock-screen manager 2540, and a purchasing manager 2545.
  • the authentication manager performs its authentication operations by validating credentials (e.g , names, passwords, passcodes, biometric input, etc ) that a user provides.
  • the authentication manager 2510 can also authorize operations for modules 2525-2545 based on a substitute credential that the access accelerator 2505 provides when the accelerator receives notification of a substitute interaction from the input manager 2520
  • the access accelerator 2505 provides to the authentication manager 2510 a secret that is a substitute credential for a user’s password that is necessary to log into the first device or unlock the display screen of the first device under the user account associated with the second device.
  • the authentication manager 2510 directs the login manager 2535 or the lock-screen manager 2540 to initiate a login operation or a screen unlock operation for the account associated with the second device
  • the accelerator in some embodiments provides different substitute credentials for different secondary devices as different devices can be associated with different accounts
  • the access accelerator in some embodiments sends a request for authorization to the second device (through the communication manager 2515) for certain operations, e.g , a request to authorize the installation of a program. Only after receiving this authorization from the second device (through the communication manager 2515), the accelerator then provides the substitute credential to the authentication manager. It does not provide this credential when the second device rejects or disregards the authorization request.
  • Figure 26 illustrates a process 2600 that the access accelerator 2505 of the first device performs in some embodiments when a second device, which has been enabled for substitute interactions, comes within a first distance of the first device. This process starts when the communication manager 2515 notifies the accelerator 2505 that it has identified an enabled second device within a first distance of the first device. With this notification, the
  • the process 2600 initially examines (at 2605) the availability data to determine whether the second device is available to support substitute interactions on the first device.
  • a smartwatch in some embodiments is deemed available when its availability data indicates that the watch is currently attached to a person (e.g., wrapped around a user’s wrist) and is unlocked.
  • the process 2600 determines that the second device is not available to support substitute interactions on the first device (e.g., the watch is not attached to anyone or is locked)
  • the process 2600 determines that the second device is available to support substitute interactions on the first device (e.g., the watch is attached to someone and is unlocked)
  • the process 2600 enables (at 2610) a first set of substitute interactions for performing a first set of operations on the first device.
  • the process then registers (at 2615) with the input manager 2520 to receive notifications associated with the first set of substitute interactions.
  • the process determines whether it has received a notification from the input manager 2520 that this manager has detected an input associated with one of the substitute interactions in the first set. If so, the process 2600 performs (at 2625) a sub-process to allow the operation associated with the input detected at 2620 for the substitute interaction.
  • the substitute interaction is just a single input through the first device’s input interface (e.g., the pressing of a space bar, the selection of the setting lock, etc.), in response to which the access accelerator 2505 provides an access credential substitute (e.g., a secret) to the authentication manager 2510 to authorize a particular operation (e.g., the logging into the first device, the unlocking a Socked screen presentation on the first device, the unlocking of a setting lock, etc.).
  • the access credential substitute in some embodiments is a credential substitute that is associated with an account that is also associated with the second device.
  • the substitute interaction has multiple parts, one part that requires an input through the first device’s input interface, and another part that includes an interaction on the second device.
  • substitute interactions include the above-described program install and setting unlock operations that require a user to approve an operation on a computer by indicating this approval on his watch.
  • the process 2600 sends (at 2625) an approval request to the second device, and once it receives approval of this request, provides the access credential substitute (e.g., a secret associated with the account that is also associated with the second device) to the authentication manager 2510 to authorize a particular operation (e.g., the logging into the first device, the unlocking of a seting lock, etc.).
  • the process 2600 sends the approval request and received the approved request through the communication manager 2515. After 2625, the process returns to 2620.
  • the process determines (at 2630) whether the second device is still within the first distance.
  • the communication manager 2515 notifies the access accelerator 2505 when the second device has moved away from the first device to be outside of the first range that is defined by the first distance.
  • the process determines (at 2635) whether the second device has moved close to the first device to now be within a closer, second distance of the first device.
  • the communication manager 2515 notifies the access accelerator 2505 when the second device has moved towards the first device to be within of the second range that is defined by the second distance The first range subsumes the second range.
  • the process 2600 determines (at 2635) that the second device is not within the second distance of the first device, the process returns to 2620.
  • the process 2600 determines (at 2635) that the first device is now within the second distance of the first distance, the process 2600 enables (at 2640) a second set of substitute interactions for performing a second set of operations on the first device.
  • the process then registers (at 2645) with the input manager 2520 to receive notifications associated with the second set of substitute interactions.
  • the process determines whether it has received a notification from the input manager 2520 that this manager has detected an input associated with a substitute interaction in either first or second set. If so, the process 2600 performs (at 2655) a sub-process to allow the operation associated with the input detected at 2650 for the substitute interaction.
  • the substitute interaction in some cases involves receiving only an input on the first device, while in other cases it involves receiving an input on the first device, sending an interaction request to the second device, and receiving confirmation of the requested interaction from the second device.
  • the access accelerator detects that the one-part or multi-part substitute interaction has occurred, it provides (at 2655) an access credential substitute (e.g., a secret) to the authentication manager 2510 to authorize a particular operation (e.g., the logging into the first device, the unlocking of a setting lock, etc.).
  • This access credential substitute in some embodiments is a credential substitute that is associated with an account that is also associated with the second device. After 2655, the process returns to 2650.
  • the process determines (at 2660) whether the second device is still within the second distance, In some embodiments, the communication manager 2515 notifies the access accelerator 2505 when the second device has moved away from the first device to be outside of the second range that is defined by the second distance.
  • the process 2600 determines (at 2660) that the second device is farther than the second distance, the process it returns to 2620. Otherwise, it returns to 2650.
  • Figure 27 illustrates a process 2700 that shows the operations that the communication manager 2515 and the access accelerator 2505 perform in some embodiments when the communication manager detects a second device within a first distance of the first device.
  • the communication manager continuously searches for nearby devices that are performing broadcast advertising on wireless short-range radio frequencies, such Bluetooth frequencies.
  • the process 2700 starts when it detects an advertisement from the second device that is within a first distance from the first device.
  • a range calculator of the communication manager iteratively performs ranging operations to identify the distance between the first device and the second device.
  • the communication manager 2515 initially determines (at 2705) whether the second device has been enabled for supporting substitute interactions with the first device.
  • the second device would have gone through a pairing process with the first device and would have to he associated with one of the user accounts associated with the first device. In other embodiments, the second device just has to be associated with one of the user accounts associated with the first device.
  • the communication manager 2515 determines (at 2705) that the second device has not been enabled for supporting substitute interaction with the first device, it ends.
  • the access accelerator receives (at 2715) the operating mode data from the corn muni cation manager, it determines (at 2720) whether this data indicates that the second device is in an operating mode that makes it available to support substitute interactions with the first device.
  • the second device is a smartwateh, it is deemed available in some embodiments when its operating mode data indicates t!iat the watch is currently attached to a person (e.g., wrapped around a user’s wrist), is unlocked and it is not on the charger.
  • the watch specifies its state information differently in different embodiments. Various ways for providing the operating state information of the watch were described above by reference to Figure 17.
  • the access accelerator determines (at 2720) that the second device is available to support substitute interactions
  • the access accelerator designates a set of substitute interactions as being available until the communication manager notifies it that the second device is farther than the first distance (as 2725). Otherwise, when the access accelerator determines (at 2720) that the second device is not available to support substitute interactions, it directs (at 2730) the communication manager to cancel its connection session with the second device or to cancel trying to establish such a session.
  • the communication manager determines (at 2740) whether it has received a cancelation request from the access accelerator. If not, it determines (at 2745) whether it has established a connection session. If it has not established a connection session, it returns to 2740. If it determines (at 2745) that it has completed a connection session, it transitions to 2750. The communication manager remains at 2750 until either it receives an instruction from the access accelerator to cancel its connection session, or until it detects (based on ranging operations of the range calculator) that the second device is farther than the first distance away from the first device. After 2750, the process ends.
  • a computer readable storage medium also referred to as a computer readable medium.
  • these instructions are executed by one or more computational or processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions.
  • computational or processing unit(s) e.g., one or more processors, cores of processors, or other processing units
  • Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, random access memory (RAM) chips, hard drives, erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), etc.
  • the computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections
  • the term“software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage which can be read into memory for processing by a processor. Also, is some embodiments, multiple software programs can be implemented as sub-parts of a larger program while remaining distinct software programs. In some embodiments, multiple software programs can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software program described here is within the scope of the subject technology. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.
  • FIG. 28 conceptually illustrates an example of an electronic system 2800 with which some embodiments of the subject technology are implemented.
  • the electronic system 2800 may be a computer (e.g., a desktop computer, personal computer, tablet computer, etc.), phone, PDA, or any other sort of electronic or computing device
  • Such an electronic system includes various types of computer readable media and interfaces for various other types of computer readable media.
  • Electronic system 2800 includes a bus 2805, processing unit(s) 2810, a graphics processing unit (GPU) 2815, a system memory 2820, a network 2825, a read-only memory 2830, a permanent storage device 2835, input devices 2840, and output devices 2845.
  • GPU graphics processing unit
  • the bus 2805 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the electronic system 2800.
  • the bus 2805 communicatively connects the processing unit(s) 2810 with the read-only memory 2830, the GPU 2815, the system memory 2820, and the permanent storage device 2835.
  • the processing unit(s) 2810 retrieves instructions to execute and data to process in order to execute the processes of the subject technology.
  • the processing unit(s) may be a single processor or a multi-core processor in different embodiments. Some instructions are passed to and executed by the GPU 2815.
  • the GPU 2815 can offload various computations or complement the image processing provided by the processing unit(s) 2810.
  • TSie read-only -memory (ROM) 2830 stores static data and instructions that are needed by the processing unit(s) 2810 and other modules of the electronic system.
  • the permanent storage device 2835 is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the electronic system 2800 is off.
  • Some embodiments of the subject technology use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive, integrated flash memory) as the permanent storage device 2835.
  • the system memory 2820 is a read-and-write memory' device.
  • the syste memory 2820 is a volatile read-and-write memory, such a random access memory.
  • the system memory 2820 stores some of the instructions and data that the processor needs at runtime.
  • the subject technology’s processes are stored in the system memory 2820, the permanent storage device 2835, and/or the read-only memory 2830
  • the various memory units include instructions for performing the operations illustrated in the above-described flowcharts and software block diagrams. From these various memory units, the processing unites) 2810 retrieves instructions to execute and data to process in order to execute the processes of some embodiments.
  • the bus 2805 also connects to the input and output devices 2840 and 2845.
  • the input devices 2840 enable the user to communicate information and select commands to the electronic system.
  • the input devices 2840 include alphanumeric keyboards and pointing devices (also called“cursor control devices”), cameras (e.g., webcams), microphones or similar ⁇ devices for receiving voice commands, etc.
  • the output devices 2845 display images generated by the electronic system or otherwise output data.
  • the output devices 2845 include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD), as well as speakers or similar audio output devices. Some embodiments include devices such as a touchscreen that function as both input and output devices.
  • bus 2805 also couples electronic system 2800 to a network 2825 through a network adapter (not shown).
  • the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network
  • WAN wide area network
  • Intranet a network of networks, such as the Internet.
  • Any or all components of electronic system 2800 may be used in conjunction with the subject technology.
  • Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer- readable medium (alternatively referred to as computer-readable storage media, machine- readable media, or machine-readable storage media).
  • computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD- R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual- layer DVD-ROM), a variety of reeordabie/rewritable DVDs (e.g., DVD-RAM, DVD-RW,
  • the computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • PLDs programmable logic devices
  • ROM read only memory
  • RAM random access memory
  • this gathered data may include personal information data that uniquely identifies or can be used to identify a specific person.
  • personal information data can include demographic data, location-based data, online identifiers, telephone numbers, email addresses, home addresses, data or records relating to a user’s health or level of fitness (e.g., vital signs measurements, medication information, exercise information), date of birth, or any other personal information.
  • the present disclosure recognizes that the use of such personal information data, in the present technology, can be used to the benefit of users.
  • the personal information data can he used to enable substitute interactions in accordance with a user’s preferences. Accordingly, use of such personal information data enables users to have greater control of the substitute interactions.
  • other uses for personal information data that benefit the user are also contemplated by the present disclosure. For instance, health and fitness data may be used, in accordance with the user’s preferences to provide insights into their general wellness, or may be used as positive feedback to individuals using technology to pursue wellness goals.
  • the present disclosure contempl tes that those entities responsible for the collection, analysis, disclosure, transfer, storage, or other use of such personal information data will comply with well-established privacy policies and/or privacy practices. In particular, such entities would be expected to implement and consistently apply privacy practices that are generally recognized as meeting or exceeding industry or governmental requirements for maintaining the privacy of users. Such information regarding the use of personal data should be prominently and easily accessible by users, and should be updated as the collection and/or use of data changes. Personal information from users should be collected for legitimate uses only. Further, such
  • policies and practices should be adapted for the particular types of personal information data being collected and/or accessed and adapted to applicable laws and standards, including jurisdiction-specific considerations which may serve to impose a higher standard.
  • HIPAA Health Insurance Portability and Accountability Act
  • the present disclosure also contemplates embodiments in which users selectively block the use of, or access to, personal information data. That is, the present disclosure contemplates that hardware and/or software elements can be provided to prevent or block access to such personal information data.
  • the present technology can be configured to allow users to select to "opt in” or “opt out” of participation in the collection of personal information data during registration for services or anytime thereafter.
  • the present disclosure contemplates providing notifications relating to the access or use of personal information. For instance, a user may be notified upon downloading an app that their personal Information data will be accessed and then reminded again just before personal information data is accessed by the app.
  • the present disclosure broadly covers use of personal information data to implement one or more various disclosed embodiments, the present disclosure also contemplates that fee various embodiments can also be implemented without the need for accessing such personal information data. That is, the various embodiments of the present technology are not rendered inoperable due to the lack of all or a portion of such personal information data. For example, particular substitute interactions can be enabled on users’ devices based on aggregated non-personal information data or a bare minimum amount of personal information, such as the content being handled only on the user’s device or other non personal information available.
  • the terms“computer”, “server”,“processed 1 and“memory” all refer to electronic or other technological devices. These terms exclude people or groups of people.
  • fee terms display or displaying means displaying on an electronic device.
  • the terms“computer readable medium,”“computer readable media,” and“machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral signals.

Abstract

Dans certains modes de réalisation, un premier dispositif effectue des opérations de télémétrie pour permettre à un utilisateur d'effectuer une ou plusieurs opérations sur le premier dispositif sans fournir de justificatifs d'identité d'accès au dispositif. Par exemple, lorsqu'un second dispositif se trouve à une première distance du premier dispositif, le premier dispositif détermine que le second dispositif est associé à un premier compte d'utilisateur qui est autorisé à effectuer des opérations sur le premier dispositif. En réponse à la détermination, le premier dispositif permet à au moins une interaction de substitution (par exemple, une interaction UI sans mot de passe) en vue d'autoriser que les opérations à réaliser sur le premier dispositif fassent l'objet d'un accès sans recevoir de justificatifs d'accès par l'intermédiaire d'une interface utilisateur. En réponse à la détection d'une occurrence de l'interaction de substitution, l'opération est autorisée sur le premier dispositif.
EP20724335.3A 2019-04-18 2020-04-16 Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée Withdrawn EP3925254A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US16/388,831 US11250118B2 (en) 2016-06-12 2019-04-18 Remote interaction with a device using secure range detection
PCT/US2020/028549 WO2020214833A1 (fr) 2019-04-18 2020-04-16 Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée

Publications (1)

Publication Number Publication Date
EP3925254A1 true EP3925254A1 (fr) 2021-12-22

Family

ID=70554248

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20724335.3A Withdrawn EP3925254A1 (fr) 2019-04-18 2020-04-16 Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée

Country Status (3)

Country Link
EP (1) EP3925254A1 (fr)
CN (1) CN113692584A (fr)
WO (1) WO2020214833A1 (fr)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9002322B2 (en) * 2011-09-29 2015-04-07 Apple Inc. Authentication with secondary approver
BR112015016568A2 (pt) * 2013-01-09 2017-07-11 Evernym Inc sistemas e métodos de interações de acesso controlado
US9432361B2 (en) * 2013-03-13 2016-08-30 Lookout, Inc. System and method for changing security behavior of a device based on proximity to another device
US10440574B2 (en) * 2016-06-12 2019-10-08 Apple Inc. Unlocking a device
US11582215B2 (en) * 2016-06-12 2023-02-14 Apple Inc. Modifying security state with secured range detection
US11176237B2 (en) * 2016-06-12 2021-11-16 Apple Inc. Modifying security state with secured range detection
US10486646B2 (en) * 2017-09-29 2019-11-26 Apple Inc. Mobile device for communicating and ranging with access control system for automatic functionality

Also Published As

Publication number Publication date
CN113692584A (zh) 2021-11-23
WO2020214833A1 (fr) 2020-10-22
WO2020214833A9 (fr) 2020-12-24

Similar Documents

Publication Publication Date Title
US11250118B2 (en) Remote interaction with a device using secure range detection
AU2021200451B2 (en) Modifying security state with secured range detection
US11176237B2 (en) Modifying security state with secured range detection
US11832099B2 (en) System and method of notifying mobile devices to complete transactions
US20160286393A1 (en) Method and apparatus for seamless out-of-band authentication
US9524388B2 (en) System and method for enforcing a policy for an authenticator device
AU2018203927A1 (en) Auto-user registration and unlocking of a computing device
JP2019531567A (ja) 装置認証のシステム及び方法
KR20160097323A (ko) Nfc 인증 메커니즘
US20170289159A1 (en) Security support for free wi-fi and sponsored connectivity for paid wi-fi
US10021092B1 (en) Systems and methods for device authentication
US20190379655A1 (en) Data communication system
WO2020214833A1 (fr) Interaction à distance avec un dispositif au moyen d'une détection de portée sécurisée
US9648495B2 (en) Method and device for transmitting a verification request to an identification module
EP4203535A1 (fr) Systèmes et procédés de partage de justificatifs d'identité

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20210917

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20221209

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20230420