FR3076008A1 - Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor - Google Patents

Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor Download PDF

Info

Publication number
FR3076008A1
FR3076008A1 FR1701355A FR1701355A FR3076008A1 FR 3076008 A1 FR3076008 A1 FR 3076008A1 FR 1701355 A FR1701355 A FR 1701355A FR 1701355 A FR1701355 A FR 1701355A FR 3076008 A1 FR3076008 A1 FR 3076008A1
Authority
FR
France
Prior art keywords
rights
authentication
control1
information
controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
FR1701355A
Other languages
French (fr)
Inventor
Madeth May
Simon Ledunois
Maxime Blanchard
Mallory Daries
Mohammed Khalil El Ismaili
Jonathan Daumont
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Le Mans Univ
Original Assignee
Le Mans Univ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Le Mans Univ filed Critical Le Mans Univ
Priority to FR1701355A priority Critical patent/FR3076008A1/en
Publication of FR3076008A1 publication Critical patent/FR3076008A1/en
Application status is Pending legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/002Mobile device security; Mobile application security
    • H04W12/0023Protecting application or service provisioning, e.g. securing SIM application provisioning
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual entry or exit registers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Abstract

The invention relates to a system (SYST1) for authenticating access rights to a product, a place or a service, comprising an information system (SI1) coupled to a rights database (BD1) respectively associated with a plurality of users, at least one controller (CONTROL1) for authenticating said rights, adapted to deliver at least a first piece of information (VALID) representative of said rights (URIGHTS) of at least one of said users (USER) from said database (BD1) and a reading of a medium (TICKET) carrying a second representative information rights (URIGHTS) of said at least one user, characterized in that said controller (CONTROL1) authentication of said rights (URIGHTS ) is a mobile device configured to be at least temporarily connected to a remote application server (APPSERV) and to receive from said remote application server (APPSERV) at least one authentication application (APP) n of all or part of these rights (RIGHTS).

Description

MULTIPLE ENTRY ACCESS AUTHENTICATION SYSTEM COMPRISING A MOBILE AND CONFIGURABLE AUTHENTICATION TERMINAL, METHOD AND SOFTWARE THEREFOR.

Field of the invention The invention relates to the field of securing access and / or authentication of access rights to products, premises, locations, or services, and more particularly to the use of a mobile authentication terminal. Rights. 2. State of the art

It is known to use authentication and access security systems in a wide variety of contexts, such as the purchase without a checkout staff being present, the remote purchase, the conditional access to places, products or services. The means usually available to implement access control methods using authentication are, for example, a smart card, a magnetic stripe card, a radio frequency identification badge (RFID) a recurring or single-use code, an identification from a portable device following an activation or subscription, an optical identification of a display on the screen of a device or via an interface of communication of the device, biometric identification by fingerprint or visualization of an eye (biometric systems), recognition of shapes and in particular of a face, identification of a voice. This list of examples is of course not exhaustive. Although a large number of identification techniques exist, few are flexible and able to adapt to contextual identification modes related to an environment, an application or criteria inherent to the user, for example. It is not known an authentication system for controlling access, both from a fingerprint, and from information available from a mobile device smartphone, a smart watch, a tablet, an portable electronic key, a badge, a smart card, a track card, and this in any place. The list of these examples is not exhaustive. Existing solutions require limiting the format of access keys (and / or key support) available in an authentication system in formats that can be read by the authentication terminals available at the location (s) where they need to be. carried out control and authentication operations (theaters, cinema, parking, sports equipment, private places, for example).

The existing solutions therefore have disadvantages. 3. Summary of the invention. The invention makes it possible to improve at least one of the disadvantages of the state of the art by proposing a system for authenticating access rights to a product or a service, comprising an information system coupled to a database of rights respectively associated with a plurality of users, at least one rights authentication controller, adapted to deliver at least a first information representative of the rights of at least one of the users from the database and a reading of a medium carrying a second information representative of the rights of the at least one user, the system comprising a rights authentication controller of each of the users being a mobile device configured to be at least temporarily connected to a device; remote application server and to receive from this remote application server at least one authentication application of all or part e of these rights. ! According to one embodiment of the invention, the mobile rights authentication controller is (or perhaps) autonomous (via the use of a battery power supply) and comprises an interface for reading at least one code representative of all or part of the rights of a user. It also possibly includes one or more cameras, a biometric reader or an interface compatible with a wireless communication standard among the list: Bluetooth, RFID, NFC or any change of at least one of these standards.

According to one embodiment of the invention, the rights authentication controller is implemented in a connected tablet device or a smartphone device. The invention also relates to a method for authenticating access rights to a product or a service, in an authentication system (comprising an information system coupled to a database of rights respectively associated with a plurality of users, at least one rights authentication controller, adapted to issue at least a first representative information rights of at least one of the users from the database and a reading of a medium carrying a second information representative of the rights of the at least one user, which method comprises: downloading, from a remote application server, to the authentication controller, at least one rights authentication application adapted to authenticate access rights; at least one of the users of the system by a coupling of at least the authentication controller comprising the application tel flocked with a carrier carrying a second information representative of the rights of the at least one user.

I

According to one embodiment of the invention, the method for authenticating rights of access to a product, a place or a service, in an authentication system also comprises, after the download described: a coupling of the at least one authentication controller comprising the previously downloaded application with a medium carrying a second piece of information representative of the rights of the at least one user, and a reception, by the authentication controller from the medium, of the second information then, a transmission from the authentication controller of the first information to the remote information system according to at least the second information. Finally, the invention relates to a computer program product loadable directly into the internal memory of a computer and comprising portions of software code for the execution of all or part of the aforementioned steps of the method when this program is executed on a computer. computer. 4. List of figures. The invention will be better understood, and other features and advantages will become apparent on reading the description which follows, the description referring to the appended drawings in which: FIG. 1 represents a system of authentication SYST1 of keys of access according to a particular and non-limiting mode of the invention. FIG. 2 is a diagram illustrating steps of the authentication method implemented in the SYST1 system of FIG. 1 according to a particular and non-limiting embodiment of the invention. FIG. 3 represents architecture details of the authentication controller CONTROL1 of FIG. 1 according to a particular and nonlimiting embodiment of the invention. 5. Detailed description of embodiments of the invention.

FIG. 1 represents an SYST1 system for authenticating access keys to a product, service or location, according to a particular and non-limiting mode of the invention. According to the embodiment of the invention, the authentication controller device CONTROL1 comprises four input interface modules in1, in2, in3 and in4 capture information representative of a carrier (or user) of a key d access to a system, a place or a product, or at least a right of access granted to this holder. According to the embodiment, an in1 module of the controller device CONTROL1 is a smart card coupler, an in2 module of the controller device CONTROL1 is a biometric fingerprint reader, an in3 module of the device CONTROL1 is a near field reader NFC Near Field Communication (RFC) which uses Radio Frequency Identification (RFID) identification technology, which means radio frequency identification, and a module in4 of the device CONTROL1 is an optical reader, configured for reading a geometric shape (or pattern) printed or represented on a screen of a portable device, such as, for example a smartphone. The device CONTROL1 further comprises a digital camera coupled to a control unit. The control unit of the CONTROL1 device is also coupled to each of the aforementioned input interfaces. The form that can be read by the optical sensor or the camera of the device CONTROL1 is for example a QR code (of the English "Quick Response code" and that means fast response code). The camera of the controller device CONTROL1 is moreover adapted to the recognition of more generic forms and is configured for identification operations, such as, for example, the recognition of various types of codes representative of a bearer's rights. , the recognition of a physiological element of an individual, the recognition of a person among a group of people, the recognition of the appearance of an eye, these examples being non-limiting.

Each of these "readers", or "input interfaces", or "capture modules", not shown, is adapted to the generation of at least one code representative of the bearer and / or rights assigned punctually or durably to this carrier, authorizing him to have single use or recurring access, to a place, a service or a product, for example. Thus, the in1 smart card reader is configured to generate one or more information representative of the holder of a smart card or rights assigned to the cardholder who has been inserted into a reader of this interface.

In addition, the communication of the aforementioned representative information can be part of a complex protocol exchange, depending on the level of security of the transaction between the rights holder and the authentication and access control system. The in2 coupler operates in a manner similar to the in1 coupler, although it does not have technical characteristics similar to those of a chip card coupler, as it is a biometric detector. Such a coupler analyzes an input signal or a multitude of input signals and compares them with a prerecorded database in order to issue a key representative of one or more access rights or at least required for an authentication. In2 and in3 capture systems of different natures operate on the same principle.

Advantageously, the information transmitted on digital links bk1, bk2, bk3, and bk4, internal to the CONTROL1 controller (represented in FIG. 3), respectively coming from the capture modules in1, in2, in3 and in4, are transmitted to a key multiplexer module. rk (represented in FIG. 3) comprising a module or an interface for receiving random access keys from the interface modules in1, in2, in3 and in4, these keys being coded according to four partially or totally different logical and physical formats. An internal module ktm, whose input is connected to the output of the module rk, operates as a format converter random access keys received to deliver at its output rkb (elements ktm, rk and rbk are represented in FIG. ) a unique format (single frame) of keys deliverable at the input of an authentication module am connected to its output. The authentication module am (see FIG. 3) carries out a process of authentication of the keys received according to one or more protocols, using encryption methods or not, the details of which are not described further here, since participating in the understanding of the invention. According to the result of the authentication phase, the authentication control module CONTROL1 outputs one or more VALID codes intended to be interpreted or communicated by the remote module information system SU, coupled to a database user rights BD1, for the purpose of then controlling actuators whose state is dependent on the failure or success of the authentication phase and therefore the information VALID. According to one variant, the information VALID is exploited directly by the authentication terminal CONTROL1 which delivers a visual and / or audible signal depending on the success or otherwise of the authentication or a signal intended for one or more remote actuators or a remote control module configured to control one or more actuators.

Advantageously, the authentication device is a mobile and autonomous device that can be easily moved to any place for the purposes of operating controls and authentications of user rights. These checks are, for example, the verification of a right of entry to a place, an event, or the ability to subscribe a service or a service according to a quantum of rights remaining available and after an operation of ' pre-loading 'rights. Advantageously, the use of a mobile and autonomous device such as, for example, a tablet, a smartphone or a microcomputer makes it possible to dispense with the use of a sedentary control terminal similar to those which are regularly used for authentication to open a door, a gate, a turnstile, or in a PLC for the issuance of a product. Cleverly, the control device CONTROL1 connects before any identification operation "in the field" to an authentication application download server configured to deliver as a 'firmware' or application of medium or high- level, a software module APP adapted to operate, when implemented (executed) by the controller device CONTROL 1, rights authentication operations from reading information representative of these rights and information relating to a user available from the user database BD1 via the information system SU. This prior download of the dedicated APP authentication application confers on the SYST1 authentication system a very great flexibility of use since, in addition to its ability to control rights in a large variety of support formats, it can then operate in n any place by making limited wireless connections, with respect to exchanges with the remote system SU, a few codes of validation and control and possibly security codes implementing encryption techniques. Indeed, once the APP authentication application module has been downloaded into the CONTROL1 controller's memory and is running for authentication purposes, the CONTROL1 control and authentication module requires only a small amount of authentication. protocol exchanges with the information system SI1 coupled to the rights database, preloaded with information representative of these rights as and when they are obtained, by online shopping transactions (via the internet) or at home traders, for example.

Figure 2 is a diagram illustrating steps of the authentication method according to a particular and non-limiting embodiment of the invention. Step S1 is an initial step in which all the devices of the SYST1 system are operational and possibly interconnected, except, possibly, the authentication controller CONTROL1 which does not have (yet) an application (or firmware) adapted to the control operations required in a particular context. For example, the CONTROL1 controller must be used to authenticate access rights holders (admission tickets) to a theater, from QRCODE code and a barcode, and the CONTROL1 controller is still configured according to a past use, such as, for example, the control of tokens of access to meals in a school canteen, from RFID badges. At this stage, the information system SU is nominally operational and connected to the database BD1 of user rights. The information system is further configured to be connected, on demand, to the controller CONTROL1 through the communication link LU. The communication link LU is preferably a wireless link, such as for example according to an EDGE, GPRS, 2G, 3G, 4G communication standard or any change in one of these standards. According to variants, the link LU can be a link according to an IEEE80 wireless protocol ^ .11 (WIFI) or a wire link Ethernet type or using fiber optic communication. At this step S1, the dedicated application server APPSERV is also normally operational and has a mass memory used for storing at least one application. Typically, and in order to obtain all the benefits deriving from a plurality of applications stored in this memory, the mass memory contains a large variety of applications that can each be optimized to perform checks / identifications / authentications in different and very varied contexts. For example, a first APP application is adapted to the reading of admission tickets for a theater on a first predetermined date, a second application APP2 is adapted to the control of access rights to meals served in a first school canteen and a third APP3 application is adapted to control the validity of subscriptions for access to a pool, which are verified during the presentation of badges by the swimmers. These examples are obviously non-limiting.

In the same way as for the link LU, the link LI2 between the remote application server APPSERV and the mobile device CONTROL1 is preferentially wireless, and allows interconnection of the authentication controller device CONTROL1 in all locations where telecommunication links via LI2 are available. The set of elements constituting the control units and telecommunication interfaces specific to the SU, CONTROL and APPSERV devices are not described in detail since those customary to those skilled in the art of networks adapted to identification operations and not being useful for understanding the invention. In step S2, the mobile and autonomous authentication controller CONTROL1 sends an APPREQ request to the remote APPSERV authentication application server in order to request the download of the required APP application according to the context of the control operations to be performed. achieve. The APPREQ request contains APPINFO information representative of the APP application required. This APPINFO information may be representative of a command entered by the user (the controller) of the CONTROL1 device which will have to carry out the control operations. The entry of this instruction can be carried out by an input interface such as a mechanical keyboard or a tactile keyboard, for example, or by an operation of choice in a menu whose contents have been previously downloaded or inserted in a memory of the CONTROL1 device. According to a variant of the embodiment, TICKET titles held by the users, which are, for example, printed tickets, RFID cards, optical codes (QR codes, bar codes, etc.) each comprise at least one piece of information representative of the version of the application that is to be downloaded for the purpose of subsequently carrying out a control or rights authentication operation relating thereto. After the required APP application can be identified at the APPSERV remote application server, a download of the APP application from the APPSERV server and to the control device CONTROL1 is performed. The download uses techniques for updating applications or firmware as well known but having a level of security sufficiently high to minimize any attempt of fraud, invasion or theft (session theft) in the download session. Advantageously, the triggering of the download of the APP application to the device CONTROL1 may force the download to a plurality of control devices similar to C0NTR0L1 and at least partially compatible therewith. Advantageously, this can make it possible to quickly update a plurality of controllers for the purpose of being able to use them for controls at different entry points of a same theater, or the same restaurant, for example, or in different places participating in the same offer of service or products, according to the same commercial formula.

Advantageously, the flexibility of use offered by the remote download of the user rights authentication terminal APP application implemented by the mobile device and autonomous CONTROL1 makes it possible to make available to the event organizers / sellers of products or services, a solution to adapt to a fleet of commonly used devices compatible with the application and already available. Otherwise, the method and the system according to the invention allow the use of homogeneous devices and movable in any place to perform authentication operations. Indeed, once the APP application downloaded and executed in the CONTROL1 mobile and autonomous control and authentication device, and according to the selected authentication mode ("ON-LINE" or "OFF-LINE"), it is It is possible to carry out checks without requiring an exchange with the SI1 information system or the APPSERV application server (this is the case of using an "OFF-LINE" mode). In "OFF-LINE" mode, the CONTROL1 controller has all the required information in its storage memory, preferably in encrypted form, to validate / authenticate user rights. Advantageously, part of the information present in the rights database BD1 can be copied to the storage memory of the mobile controller CONTROL1 before any authentication operation specific to a predetermined context. It is the same for all or part of the authentication processes implemented at SU level when the CONTROL1 controller and the latter are connected, which can be executed at the level of the mobile controller CONTROL1 in "OFF-LINE" mode when these are implemented in the authentication APP application downloaded previously to the implementation of the "OFF-LINE" mode. In step S3, the APP application has previously been downloaded to the storage memory of the authentication controller device. CONTROL1 is executed by the control unit of the mobile controller CONTROL1 to successively authenticate rights corresponding to different users by read operations of TICKET title supports. Each of the TICKET title supports contains at least one piece of information representative of these rights, that is to say the access rights of a user to a place, product or service.

Each of these options is obviously nonexclusive. A title TICKET is for example implemented in the form of a printed ticket or entry ticket, but may be an RFID badge, a printed badge, a fingerprint, the image of an eye, a magnetic stripe card, a smart card, a barcode, an identity in the form of a vocal spectrum, a face, etc., these examples being non-limiting. The controller proceeds to a reading of the title, in order to read on the title TICKET associated with a bearer at least one information representative of the rights that are specific to him. The interface corresponding to the TICKET media type is activated by the user (the controller) of the control device. Thus, the user will activate the camera for a QR-code reading, or a chip card coupler for a chip card type TICKET, for example. Advantageously, and in the context where the context allows, the authentication terminal CONTROL1 can be immobilized after configuration and operate without having to request maneuvering from a user-controller. This is possible as soon as the downloaded and running APP authentication application provides for it, that is to say when authentication is possible successively without having to enter or configure anything.

Such an authentication configuration may however require to proceed under the supervision of a person authorized to validate definitively the authentication performed by the CONTROL1 terminal. For example, the mobile device CONTROL1 operating as a terminal may be placed near an entrance (door, gate, access corridor) and issue a visual or audible warning signal in the event of successful authentication or conversely a visual or audible warning signal distinct from the first if the authentication fails. The steps for verifying the validity of the title TICKET or the bearer are carried out in step S3, the final result of which is the delivery of at least one VALID information representative of the validity or invalidity of the rights attributed to the bearer of a title support TICKET. Once an authentication / control operation has been performed, the device CONTROL1 branches the execution of the APP application in its step S2, in order to perform a next check.

Cleverly, a proposal to download another application APP authentication can be made systematically to the user (controller) after a start or reset of the device CONTROL1, for example after a complete initialization of the set of internal modules to the CONTROL1 device.

FIG. 3 represents architecture details of the authentication controller CONTROL1 according to a particular and non-limiting embodiment of the invention.

The input interfaces in1, in2, in3 and in4 are configured to output at least one information representing rights associated with the bearer of a TICKET title read respectively through their output interfaces bk1, bk2, bk3 and bk4. According to the preferred embodiment of the invention, the representative rights information, also called here "key" is transmitted to the multiplexer module rk, then to the key code unification module that allows to transcode the key received in a format single, then facilitating all subsequent processing, which has the advantage of simplifying the next steps. The key unification module ktm transmits via its output interface tkb a key in a unique format, predetermined to the authentication control module am configured to deliver a VALID information on its output aoi. The information yALID thus generated allows the activation of one or more visual and / or sound signals, in particular in the "OFF-LINE" authentication mode, or transfer, if necessary, in addition, the information VALID to a system third. Thus, the information VALID can be used as a setpoint for controlling an actuator and to allow, for example, the opening of a door, the delivery of a product in a machine for supplying products (drinks, foodstuffs, other...).

According to the preferred embodiment of the invention, the device CONTROL1 comprises a control unit CTRLU comprising one or more microcontrollers and associated memories (mass storage memory, random access memory, non-volatile memory for maintaining configuration parameters) and all peripheral circuits conventionally known and useful for the implementation of such a control unit, such as, for example, a power supply supervisory circuit, a reset circuit, a power interface, one or more clock circuits, a time stamping circuit, input / output ports, peripheral modules for serial and / or parallel communications, display and input devices (eg keyboard). ), this list being non-exhaustive.

Advantageously, the use of the method and the device according to the invention makes it possible to address a very wide variety of access rights authentication requirements to places, products or services available to a large number of users. with a limited and complex infrastructure, so less expensive and in particular by using mobile and autonomous devices of current use such as connected tablets or smartphones, for example. (In other words, the SYST1 system according to the invention as a system for authenticating rights of access to a product, a place or a service, comprising the information system SU coupled to the database of BD1 rights respectively associated with a plurality of users The control device (also called control / authentication terminal) CONTROL1 rights authentication, is adapted to deliver at least the VALID information representative URIGHTS rights specific to each user USER from the database of rights BD1 and a read operation of a support TICKET, carried by the user.TICKET title support includes (door) at least one representative information URIGHTS rights of the user carrying the TICKET title support associated SYST1 system is cleverly configured so that one or more control terminals / authentication CONTROL1 rights URIGHTS are mobile devices configured to be at least temporarily connected to the remote application APPSERV server and to receive from this remote application APPSERV server at least the APP application for authentication of all or part of the URIGHTS rights, the application APP is downloaded to the mass memory of the authentication terminal (s) CONTROL1 to be executed thereafter.

Preferably, a control terminal CONTROL1 as aforesaid comprises an interface IF1 (among in1, in2, in3, in4, ...) reading at least one code representative of all or part of the URIGHTS rights of a user, at least a camera, a biometric reader and / or an interface compatible with a wireless communication standard from the list: Bluetooth, RFID, NFC or an evolution of at least one of these standards. A CONTROL1 terminal further comprises a wireless communication interface operating according to a wireless communication protocol compatible with a GSM, 2G, 3G, 4G standard or any change in one of these standards to be able to be connected to the information system SU on the one hand and to the application server APPSERV on the other hand;

According to the preferred embodiment of the system SYST1 described, the control terminals CONTROL1 are connected tablets or smartphones.

Thus, the method for authenticating rights of access to a product or a service implemented in the authentication system SYST1 comprising the information system SU coupled to the rights database BD1 respectively associated with a plurality of users, comprises at least one control device controller CONTROL1 rights authentication, adapted to deliver at least the representative information VALID URIGHTS rights of at least one USER USER from the database BD1, possibly partially or completely copied into its storage memory, and a read operation of a TICKET title support associated with the TICKET bearer user, this TICKET title support carrying coded or non-representative information of the bearer user's rights. The implementation of the method comprises: downloading, from the remote APPSERV server of the CONTROL1 terminal to the latter, at least the rights authentication APP application required for the current context and adapted to authenticate the rights of the user. at least the user, the coupling of the CONTROL1 controller terminal comprising the APP application downloaded and running with the title support TICKET carrying a representative information URIGHTS rights of the user to control (for which he should authenticate the rights).

According to one embodiment, the access rights authentication method described and implemented furthermore comprises, after downloading the transmission from the control terminal CONTROL1 of the information VALID to the information system SU in function. at least the information read and possibly decoded on (or since) the TICKET title support during the rights authentication phase. This makes it possible, if necessary, to reinforce authentication security in the case of authentication in "ONLINE" mode. The APP application operates as a computer program product loadable directly into the internal memory of the control terminal device CONTROL1 comprising portions of software code for the execution of the steps S3 and S4, and possibly S2 of the method previously described when the APP application is executed on the CONTROL1 device. The invention is not limited to the single embodiment described, but to any global access authentication system for a place, a product or a service comprising an information system coupled to a database of rights and whose at least one control and authentication terminal (controller) is a mobile device (tablet or smartphone, for example) configured to be at least temporarily connected to a remote application server and to receive from the remote application server at least an authentication application of all or part of the rights to authenticate.

Claims (6)

1. System (SYST1) for authentication of access rights to a product, a place or a service, including a system! I of information (SU) coupled to a database of rights (BD1) respectively associated with a plurality of users, at least one controller (CONTROL1) for authenticating said rights, adapted to deliver at least one first piece of information (VALID ) representative of said rights (URIGHTS) of at least one of said users (USER) from said database (BD1) and a reading of a medium (TICKET) carrying a second representative information rights (URIGHTS) of said at least one user, said system (SYST1) being characterized in that: - said controller (CONTROL1) for authentication of said rights (URIGHTS) is a mobile device configured to be at least temporarily connected to an application server (APPSERV) remote and to receive from said remote application server (APPSERV) at least one application (APP) authentication of all or part of said rights (RIGHTS).
2. System (SYST1) for authentication of rights of access to a product or service, according to claim 1, characterized in that said controller (CONTROL1) comprises an interface (IF1) for reading at least one representative code all or part of the rights (RIGHTS) of a user, comprising at least one camera, a biometric reader or an interface compatible with a wireless communication standard from the list: Bluetooth, RFID, NFC or an evolution from least one of these standards.
3. System (SYST1) for authentication of access rights to a product or service, according to any one of claims 1 or 2, characterized in that said controller (CONTROL1) is a connected tablet or a smartphone.
4. A method for authenticating rights of access to a product or a service, in an authentication system (SYST1) comprising an information system (SU) coupled to a rights database (BD1) respectively associated with a plurality of users, at least one controller (CONTROL1) for authenticating said rights, adapted to deliver at least a first information (VALID) representative of rights (URIGHTS) of at least one of said users (USER) from said database (BD1) and a reading of a medium carrying a first second information representative of said rights of said at least one user, said method being characterized in that it comprises: - a download from a server (APPSERV) remote application, to said controller (CONTROL1), at least one application (APP) rights authentication adapted to authenticate rights of at least one of said users of the sy steme (SYST1) by a coupling of said at least one controller (CONTROL1) comprising the application (APP) downloaded with a medium (TICKET) carrying a second piece of information representative of said rights (URIGHTS) of said at least one user.
5. A method for authenticating rights of access to a product or service, in an authentication system (SYST1), characterized in that it further comprises, after said downloading: a coupling of said at least one controller (CONTROL1) comprising the application (APP) previously downloaded with a support (TICKET) carrying a second piece of information representative of said rights (URIGHTS) of said at least one user,! a reception, by said controller (CONTROL1) from said medium (TICKET) of said second information, and, a transmission from said controller (CONTROL1) of said first information (VALID) to said information system (SU) according to at least said second information.
A computer program product loadable directly into the internal memory of a computer comprising portions of software code for performing the steps of the method according to any one of claims 4 to 5, when said program is executed on a computer.
FR1701355A 2017-12-21 2017-12-21 Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor Pending FR3076008A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
FR1701355A FR3076008A1 (en) 2017-12-21 2017-12-21 Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
FR1701355A FR3076008A1 (en) 2017-12-21 2017-12-21 Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor

Publications (1)

Publication Number Publication Date
FR3076008A1 true FR3076008A1 (en) 2019-06-28

Family

ID=62167384

Family Applications (1)

Application Number Title Priority Date Filing Date
FR1701355A Pending FR3076008A1 (en) 2017-12-21 2017-12-21 Access authentication system with multiple input formats comprising a mobile and configurable authentication terminal, method and software therefor

Country Status (1)

Country Link
FR (1) FR3076008A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2704077A1 (en) * 2012-08-31 2014-03-05 Nxp B.V. Authentication system and authentication method
US20150061827A1 (en) * 1999-03-26 2015-03-05 Swisscom Ag Single sign-on process
WO2017079984A1 (en) * 2015-11-13 2017-05-18 华为技术有限公司 Method of registering mobile pos, corresponding device and system
WO2017192215A1 (en) * 2016-05-03 2017-11-09 Johnson Controls Technology Company Virtual panel for access control system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150061827A1 (en) * 1999-03-26 2015-03-05 Swisscom Ag Single sign-on process
EP2704077A1 (en) * 2012-08-31 2014-03-05 Nxp B.V. Authentication system and authentication method
WO2017079984A1 (en) * 2015-11-13 2017-05-18 华为技术有限公司 Method of registering mobile pos, corresponding device and system
EP3364357A1 (en) * 2015-11-13 2018-08-22 Huawei Technologies Co., Ltd. Method of registering mobile pos, corresponding device and system
WO2017192215A1 (en) * 2016-05-03 2017-11-09 Johnson Controls Technology Company Virtual panel for access control system

Similar Documents

Publication Publication Date Title
US9628466B2 (en) Systems and methods for performing secure financial transactions
US7471199B2 (en) Mobile key using read/write RFID tag
US8522039B2 (en) Method and apparatus for establishing a federated identity using a personal wireless device
US7239226B2 (en) System and method for payment using radio frequency identification in contact and contactless transactions
US8666895B2 (en) Single action mobile transaction device
JP4399137B2 (en) Electronic payment system, payment apparatus and terminal
JP5129857B2 (en) Dynamically programmable RFID transponder
US6240517B1 (en) Integrated circuit card, integrated circuit card processing system, and integrated circuit card authentication method
US7774076B2 (en) System and method for validation of transactions
KR101632465B1 (en) Amplifying radio frequency signals
EP1733581B1 (en) Subscriber identity module
US8157178B2 (en) Manufacturing system to produce contactless devices with switches
US20120310760A1 (en) Mobile device automatic card account selection for a transaction
JP2011210267A (en) Method for data transmission and reception
US8469277B2 (en) Methods, systems and computer program products for wireless payment transactions
KR100705325B1 (en) RF-ID tag reading system for using password and method thereof
JP2010510609A (en) Point-of-sale transaction equipment with magnetic band emulator and biometric authentication
US7647279B2 (en) Method to make transactions secure by means of cards having unique and non-reproducible identifiers
US20130171967A1 (en) Providing Secure Execution of Mobile Device Workflows
US6601762B2 (en) Point-of-sale (POS) voice authentication transaction system
ES2662254T3 (en) Method and mobile terminal device that includes smart card module and near field communications media
CN101101687B (en) Method, apparatus, server and system using biological character for identity authentication
AU2007249461B2 (en) System and method for activating telephone-based payment instrument
JP4501241B2 (en) IC card and IC card data communication method
US20130275307A1 (en) Systems, methods, and computer readable media for conducting a transaction using cloud based credentials

Legal Events

Date Code Title Description
PLFP Fee payment

Year of fee payment: 2

PLSC Search report ready

Effective date: 20190628