GB2463732A - A method and system of controlling access to a resource dependent on the location of the user - Google Patents

A method and system of controlling access to a resource dependent on the location of the user Download PDF

Info

Publication number
GB2463732A
GB2463732A GB0817785A GB0817785A GB2463732A GB 2463732 A GB2463732 A GB 2463732A GB 0817785 A GB0817785 A GB 0817785A GB 0817785 A GB0817785 A GB 0817785A GB 2463732 A GB2463732 A GB 2463732A
Authority
GB
United Kingdom
Prior art keywords
remote user
location
value
time passcode
party
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0817785A
Other versions
GB0817785D0 (en
Inventor
Ewan Lister
Stephen Talent
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LISTERTALENT Ltd
Original Assignee
LISTERTALENT Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LISTERTALENT Ltd filed Critical LISTERTALENT Ltd
Priority to GB0817785A priority Critical patent/GB2463732A/en
Publication of GB0817785D0 publication Critical patent/GB0817785D0/en
Publication of GB2463732A publication Critical patent/GB2463732A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method to validate a remote user's location comprises the determination of the location of the remote user 100; the use of a one time passcode generating algorithm to generate a one time passcode value by combing location data with the remote user's password and other appropriate data 120; transmitting the remote user's username, password and one time passcode value to a second party 130. Preferably the second party uses the username to determine a list of permitted location values for the remote user 140, generates a list of all permitted one time passcodes 150 and compares the received passcode with the list of one time passcodes 160.

Description

A METHOD AND SYSTEM OF CONTROLLING ACCESS TO A RESOURCE
FIELD OF THE INVENTION
The present invention relates to a method of controlling access to a resource in a telecommunications system and, in particular, relates to the provision of access based upon a location of a remote individual. The present invention also relates to a system including a number of mobile or fixed telecommunications devices to provide varying degrees of certainty as to the location of specific devices appropriate to the level of accuracy required at a particular time, and to allow or control the provision of services dependent thereon.
BACKGROUND OF THE INVENTION
More and more people are interacting over remote networks like the internet with people, groups or organisations. The lack of certainly associated with these remote networks has increased the opportunity for people to impersonate an individual for personal gain or malicious reasons.
This has given rise to the need to be able to identify individuals with a degree of certainty when they interact with each other or when they interact with groups and organisations.
In order to be more sure of the identity of and individual attempting to access a services from a remote location there are a number of commercially available systems that employ multi-factor authentication in order to authenticate the person attempting to access a service; and indeed there exists an open standards organisation OATH (Initiative for Open Authentication) which promotes the adoption of strong methods to authenticate an individual prior to granting access to a resource. These systems utilise a number of open standards to generate a one time passcode as part of authentication process which have been implemented either as dedicated hardware devices, such as the so-called hardware tokens, or as software running on mobile devices, such as the so-called soft tokens. As is known, a one time passcode is a password that changes after each login, or changes after a set time interval.
A problem associated with systems is there are circumstances where a legitimate user may not be allowed to access a resource for a variety of reasons. For example, while it is permitted to gamble online within some countries it is forbidden in others. If an online gambling service is protected by two-factor authentication then the service provider has no way of knowing if the player is in a country where gambling is permitted or not. This problem is further compounded if the player is routing their internet activities through proxy servers which will mask the source of the internet traffic.
This issue can also arise in inter-state communications in the United States and in inter-province matters in Canada. Significantly, tax issues may also arise; the respective government of a region will wish to claim tax in any sales that may arise, if said sales are deemed to be sold in a particular state/province/ county.
With the development of more sophisticated mobile devices it is now easy to establish unique geographical data relating to the remote user's location, for example through Global Positioning Services (GPS) or from a mobile telephone cellular base stations.
OBJECT OF THE INVENTION
The present invention seeks to provide an improved system of identifying a remote individual, or user, using a two-factor authentication processes that includes the geographic location of the individual within the generation of the one time passcode allow control of access based upon geographic information without increasing the amount of data transmitted during the authentication process.
SUMMARY OF THE INVENTION
In accordance with a first aspect of the invention, there is provided in a communications system comprising at least one mobile communications device, a method of validating a remote user's location, wherein the remote user can be connected to a second party via the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable to retain data which is related to the location of the remote user and shared information required for the correct operation of the one time passcode generation; the second party having a communications device and a memory operable to store the permitted location of the remote user with respect to a username for the remote user, their password, username and any other appropriate data required for the correct generation of the one time passcode generation; said method comprising the steps of: determining the geographic location of the remote user; generating a one time passcode value using a one time passcode generating algorithm by extracting the location value from the data available on the remote user's mobile communications device; combining the location data with the remote user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; transmitting the user's username, password and one time passcode value to the second party's communications device via the communications system to request access to a resource.
In accordance with rules of provision of service and or legislation access to the resource can be provided or facilitated.
In accordance with another aspect of the invention, the remote user transmits their username, password and one time passcode value to the second party's communication device via the communications network when requesting access to the controlled resource to identify themselves and to confirm their location; wherein the second party generates a number of possible one time passcodes based upon the username, password, permitted locations from which the resource can be accessed and any other appropriate data required for the correct generation of the next one time passcode values; the password and remote user's location is validated in the event that one of the one time passcodes is the same as the passcode sent by the remote individual whereby the location of the remote user is validated; wherein in the event that the one time passcode value is determined to be correct then the necessary two-factor authentication of the remote user can thereby be achieved subject to the remote user knowing the password, being in a permitted location and using the remote user's device.
In accordance with another aspect of the invention, there is provided a system of validating a user's location in a communications system operable to ensure user's location validation, the system comprising a communications network, a method of determining the geographic location of the remote user, a mobile communications device, and a remote user; wherein the remote user is connected to the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable of retaining data which is related to the location of the remote user and shared information required for the generation of one time passcodes; the second party having a communications device and a memory operable to store the permitted locations of the remote user with respect to a username for the remote user, their password and any other appropriate data required for the correct generation of one time passcodes; wherein the remote user is operable to: i) extract a value representing the location of the remote user from within the mobile communications device; ii) generate a one time passcode value using a one time passcode generating algorithm using the location value from the data available on the remote user's mobile communications device by combining the location data with the user's password and other appropriate data using a suitable algorithm to generate a one time passcode value iii) transmit the remote user's username, password and one time passcode value to the second party's communication device via the communications network; wherein the second party using a communications device, is operable to: i) receive a password, username and one time passcode from the remote user; ii) generate a number of one time passcodes based upon the remote user's provided username and password combined with any appropriate data required for the generation of valid one time passcodes for each permitted location value; iii) compare the generated one time passcode values with the value received from the remote user.
The system provides a secure communications environment whereby a remote individual can be indentified to the second party and their location can be confirmed to be within the list of locations permitted by the second party. The information regarding the location the remote user is currently using is provided based upon the one time passcode entered by the remote user. A mathematical characteristic of one time passcode algorithms is that changing a single bit of data at certain points in the generation algorithm results in a different sequence of one time passcode values being generated.
This characteristic can be used to signal to the second party location the remote user is using to access the service. If there are n different locations permitted to the remote user then by encoding n bits of data it is possible to create n different one time passcodes. This system allows the remote user to trade off security against functionality rather than a single one time passcode being valid there may be up to n values that would be considered valid during the authentication process.
This arrangement means that a two-factor authentication process can be created based upon what the person knows and has -namely their password and the telecommunications device but authentication will only occur when they are at permitted locations.
The mobile communications device may be a mobile phone, a personal digital assistant or a computer, for example.
The present invention thus provides a means by which a remote user can be identified to be at a particular location using two-factor authentication by a second party. A location value is used to generate a one time passcode that can be securely passed to a communications device as and when required and validated against a set of locations permitted by the third party.
The present invention, by enabling a location of a mobile or remote user to be confirmed can enable location based services to be accessed whether as determined by law or by service permission accessibility. In the event that a transaction is performed or attempted, national tax agencies can be advised whereby revenue bodies can be informed.
DECRIPTION OF THE DRAWINGS
Figure 1 illustrates schematically one communications network according to the invention.
Figure 2 is a flowchart illustrating one method of confirming the location of a remote user in accordance with one embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION
In order to provide a better understanding of the present invention an embodiment of the invention will now be described. It will be apparent, however, to one skilled in the art, that the present invention may be practised without these specific details. This should not be construed to limit the present invention, but should be viewed merely as an example of a specific way in which the invention can be implemented. Well known features have not been described in detail so as not to obscure the present invention.
With reference to Figure 1, there is shown a schematic diagram wherein a remote user 13 employs a mobile device 14 operating within a cellular area of coverage 15 as defined by the radio base station 16 in a cellular radio network 17. The remote user communicates using their mobile device across a communications network 11 to a second party's server 10. The remote user's mobile device 14 receives location information from the satellite 18. It will be appreciated that the communications network could be provided by other means -for example, the mobile device could be connected to the third party's server via a fixed telephone line or by satellite communications, the exact method of communicating with the second party's server is not critical.
The mobile device may, in fact be a number of landline telephones provided with or adapted to connect to a memory relating to the remote user or individual or a single landline telephone, laptop digital personal assistant or the like equipped with a memory that a remote user may take with him from site to site. Equally, the remote user 13 may utilise a remote terminal 12 connected via a communications network 11 to the second party's server.
That is the remote terminal may comprise a mobile device 14, a fixed terminal 12, a personal digital assistant, a laptop or other telecommunications device, which has a memory facility, either within a hard drive, or separately connected or installed such as a chip, akin to a SIM card. It will be appreciated that the mobile device may receive location information by other means -for example, the mobile device could establish location information from the radio base station 16 in a cellular radio network 17, or by a local transmitter specifically provided for the purpose, the exact method of obtaining the location information is not critical.
The second party server confirms authenticity of the remote user connected to the communication network that requires location data to be provided by the remote user before access is granted.
With reference to Figure 2, when the remote user wishes to use the services of the second party, they will connect to the second party's server and provide their two-factor authentication data. Their mobile device will get the value of the geographical location from where the user wishes to make the connection, 100. The remote user will enter the password they use to generate a one time passcode, 110, and the mobile device will then generate the one time passcode using the password, the geographical location value and any other information it may have stored in order to generate valid one time passcodes, 120. The user then send their username, password and one time passcode value to the second party across the communications network, or by other suitable means, 130.
When the second party receives the username, password and one time passcode values from the remote user via the communications network, or other suitable means, they recover a list of permitted location values associated with the username from memory along with any other information required to calculate valid one time passcodes, 140. The second party then generates a list of one time passcode values for each location using all of the information necessary, 150. The list of generated values is then compared with the one time passcode value sent by the remote user, 160. If the value send by the user is the same as one of the values generated by the second party then the user has been correctly authenticated and found to be located at a permitted location, the remote user is then granted access, 180. If the value sent by the remote user is not the same as any of the values calculated by the second party then the user has not provided correct information or in not in a location from which access can be granted so authentication has failed and the remote user is denied access.

Claims (5)

  1. CLAIMS1. In accordance with a first aspect of the invention, there is provided in a communications system comprising at least one mobile communications device, a method of validating a remote user's location, wherein the remote user can be connected to a second party via the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable to retain data which is related to the location of the remote user and shared information required for the correct operation of the one time passcode generation; the second party having a communications device and a memory operable to store the permitted location of the remote user with respect to a username for the remote user, their password, username and any other appropriate data required for the correct generation of the one time passcode generation; said method comprising the steps of: determining the geographic location of the remote user; generating a one time passcode value using a one time passcode generating algorithm by extracting the location value from the data available on the remote user's mobile communications device; combining the location data with the remote user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; transmitting the user's username, password and one time passcode value to the second party's communications device via the communications system to request access to a resource.
  2. 2. A method in accordance with claim 1, in which there is provided a subsequent step comprising the second party's communication device receiving the username, password and one time passcode value from the remote user requesting access to a resource, to identify themselves and to confirm their location; wherein the second party gets a list of permitted location values based upon username provided and all other information required to generate the next one time passcode values; wherein the second party generates a list of all permitted next one time passcode values based upon the locations permitted to the remote user; wherein the event that the generated list of permitted next one time passcode values contains the same value as that received from the remote user in this instance then the necessary two-factor authentication of the remote user can thereby be achieved subject to the remote user knowing the password and using the remote user's mobile device from a location that is permitted to the remote user.
  3. 3. A system operable to provide validation of a user's location in a communications system to ensure user's location permitted, the system comprising a communications network, a method of determining the geographic location of the remote user, a mobile communications device, and a remote user; wherein the remote user is connected to the network via a mobile communications device operable to being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable of retaining data which is related to the location of the remote user and shared information required for the generation of one time passcodes; wherein the second party having a communications device and a memory operable to store the permitted locations of the remote user with respect to a username for the remote user, their password and any other appropriate data required for the correct generation of one time passcodes; wherein the remote user is operable to: i) extract a value representing the location of the remote user from within the mobile communications device; ii) generate a one time passcode value using a one time passcode generating algorithm using the location value from the data available on the remote user's mobile communications device by combining the location data with the user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; iii) transmit the remote user's username, password and one time passcode value to the second party's communication device via the communications network; wherein the second party using a communications device, is operable to: i) receive a password, username and one time passcode from the remote user; ii) generate a number of one time passcodes based upon the remote user's provided username and password combined with any appropriate data required for the generation of valid one time passcodes for each permitted location value; iii) compare the generated one time passcode values with the value received from the remote user.
  4. 4. A system according to claim 3, wherein the remote user can communicate their location to the second party using a variation of the one time passcode value.
  5. 5. A system according to claim 3 or 4, wherein the remote device is one of a mobile phone, a personal digital assistant or a computer connected to location confirmation apparatus a fixed line telephone connected to location confirmation apparatus.
GB0817785A 2008-09-30 2008-09-30 A method and system of controlling access to a resource dependent on the location of the user Withdrawn GB2463732A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0817785A GB2463732A (en) 2008-09-30 2008-09-30 A method and system of controlling access to a resource dependent on the location of the user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0817785A GB2463732A (en) 2008-09-30 2008-09-30 A method and system of controlling access to a resource dependent on the location of the user

Publications (2)

Publication Number Publication Date
GB0817785D0 GB0817785D0 (en) 2008-11-05
GB2463732A true GB2463732A (en) 2010-03-31

Family

ID=40019715

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0817785A Withdrawn GB2463732A (en) 2008-09-30 2008-09-30 A method and system of controlling access to a resource dependent on the location of the user

Country Status (1)

Country Link
GB (1) GB2463732A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9292670B2 (en) 2012-02-29 2016-03-22 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
WO2017196468A1 (en) * 2016-05-13 2017-11-16 Symantec Corporation Systems and methods for location-restricting one-time passcodes
WO2021158945A1 (en) * 2020-02-06 2021-08-12 Jpmorgan Chase Bank, N.A. Systems and methods for authentication using dynamic, machine-readable authentication tokens

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007024170A1 (en) * 2005-08-23 2007-03-01 Smarttrust Ab Method for controlling the location information for authentication of a mobile station
US20070184817A1 (en) * 2002-09-12 2007-08-09 Jeyhan Karaoguz Location-based transaction authentication of wireless terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070184817A1 (en) * 2002-09-12 2007-08-09 Jeyhan Karaoguz Location-based transaction authentication of wireless terminal
WO2007024170A1 (en) * 2005-08-23 2007-03-01 Smarttrust Ab Method for controlling the location information for authentication of a mobile station

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9292670B2 (en) 2012-02-29 2016-03-22 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
WO2017196468A1 (en) * 2016-05-13 2017-11-16 Symantec Corporation Systems and methods for location-restricting one-time passcodes
WO2021158945A1 (en) * 2020-02-06 2021-08-12 Jpmorgan Chase Bank, N.A. Systems and methods for authentication using dynamic, machine-readable authentication tokens

Also Published As

Publication number Publication date
GB0817785D0 (en) 2008-11-05

Similar Documents

Publication Publication Date Title
US9578025B2 (en) Mobile network-based multi-factor authentication
EP2479957B1 (en) System and method for authenticating remote server access
US8646063B2 (en) Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
US8896416B1 (en) Utilizing a mobile device to operate an electronic locking mechanism
Zhang et al. Location-based authentication and authorization using smart phones
US20070209081A1 (en) Methods, systems, and computer program products for providing a client device with temporary access to a service during authentication of the client device
US11176237B2 (en) Modifying security state with secured range detection
CN103249045A (en) Identification method, device and system
US9699656B2 (en) Systems and methods of authenticating and controlling access over customer data
US20210234850A1 (en) System and method for accessing encrypted data remotely
WO2017076216A1 (en) Server, mobile terminal, and internet real name authentication system and method
US20180234418A1 (en) Method and apparatus for facilitating access to publish or post utilizing frictionless two-factor authentication
CN110278084B (en) eID establishing method, related device and system
CN103679000A (en) Apparatus and method for remotely deleting critical information
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
US20160373442A1 (en) User identity based on location patterns of non-associated devices
CN108966232B (en) Service network-based wireless Internet of things physical layer hybrid authentication method and system
WO2019173620A1 (en) Method and apparatus for facilitating frictionless two-factor authentication
GB2463732A (en) A method and system of controlling access to a resource dependent on the location of the user
EP2482575A1 (en) Authenticating and localizing a mobile user
JP5004635B2 (en) Authentication device, authentication system, broadcast device, authentication method, and broadcast method
US11763309B2 (en) System and method for maintaining a fraud risk profile in a fraud risk engine
US9723436B2 (en) Mobile device location
EP3864878B1 (en) Method for accessing data or a service from a first user device and corresponding second user device, server and system
WO2019191369A1 (en) Method and apparatus for facilitating access to publish or post utilizing frictionless two-factor authentication

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)