GB2463732A - A method and system of controlling access to a resource dependent on the location of the user - Google Patents
A method and system of controlling access to a resource dependent on the location of the user Download PDFInfo
- Publication number
- GB2463732A GB2463732A GB0817785A GB0817785A GB2463732A GB 2463732 A GB2463732 A GB 2463732A GB 0817785 A GB0817785 A GB 0817785A GB 0817785 A GB0817785 A GB 0817785A GB 2463732 A GB2463732 A GB 2463732A
- Authority
- GB
- United Kingdom
- Prior art keywords
- remote user
- location
- value
- time passcode
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A method to validate a remote user's location comprises the determination of the location of the remote user 100; the use of a one time passcode generating algorithm to generate a one time passcode value by combing location data with the remote user's password and other appropriate data 120; transmitting the remote user's username, password and one time passcode value to a second party 130. Preferably the second party uses the username to determine a list of permitted location values for the remote user 140, generates a list of all permitted one time passcodes 150 and compares the received passcode with the list of one time passcodes 160.
Description
A METHOD AND SYSTEM OF CONTROLLING ACCESS TO A RESOURCE
FIELD OF THE INVENTION
The present invention relates to a method of controlling access to a resource in a telecommunications system and, in particular, relates to the provision of access based upon a location of a remote individual. The present invention also relates to a system including a number of mobile or fixed telecommunications devices to provide varying degrees of certainty as to the location of specific devices appropriate to the level of accuracy required at a particular time, and to allow or control the provision of services dependent thereon.
BACKGROUND OF THE INVENTION
More and more people are interacting over remote networks like the internet with people, groups or organisations. The lack of certainly associated with these remote networks has increased the opportunity for people to impersonate an individual for personal gain or malicious reasons.
This has given rise to the need to be able to identify individuals with a degree of certainty when they interact with each other or when they interact with groups and organisations.
In order to be more sure of the identity of and individual attempting to access a services from a remote location there are a number of commercially available systems that employ multi-factor authentication in order to authenticate the person attempting to access a service; and indeed there exists an open standards organisation OATH (Initiative for Open Authentication) which promotes the adoption of strong methods to authenticate an individual prior to granting access to a resource. These systems utilise a number of open standards to generate a one time passcode as part of authentication process which have been implemented either as dedicated hardware devices, such as the so-called hardware tokens, or as software running on mobile devices, such as the so-called soft tokens. As is known, a one time passcode is a password that changes after each login, or changes after a set time interval.
A problem associated with systems is there are circumstances where a legitimate user may not be allowed to access a resource for a variety of reasons. For example, while it is permitted to gamble online within some countries it is forbidden in others. If an online gambling service is protected by two-factor authentication then the service provider has no way of knowing if the player is in a country where gambling is permitted or not. This problem is further compounded if the player is routing their internet activities through proxy servers which will mask the source of the internet traffic.
This issue can also arise in inter-state communications in the United States and in inter-province matters in Canada. Significantly, tax issues may also arise; the respective government of a region will wish to claim tax in any sales that may arise, if said sales are deemed to be sold in a particular state/province/ county.
With the development of more sophisticated mobile devices it is now easy to establish unique geographical data relating to the remote user's location, for example through Global Positioning Services (GPS) or from a mobile telephone cellular base stations.
OBJECT OF THE INVENTION
The present invention seeks to provide an improved system of identifying a remote individual, or user, using a two-factor authentication processes that includes the geographic location of the individual within the generation of the one time passcode allow control of access based upon geographic information without increasing the amount of data transmitted during the authentication process.
SUMMARY OF THE INVENTION
In accordance with a first aspect of the invention, there is provided in a communications system comprising at least one mobile communications device, a method of validating a remote user's location, wherein the remote user can be connected to a second party via the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable to retain data which is related to the location of the remote user and shared information required for the correct operation of the one time passcode generation; the second party having a communications device and a memory operable to store the permitted location of the remote user with respect to a username for the remote user, their password, username and any other appropriate data required for the correct generation of the one time passcode generation; said method comprising the steps of: determining the geographic location of the remote user; generating a one time passcode value using a one time passcode generating algorithm by extracting the location value from the data available on the remote user's mobile communications device; combining the location data with the remote user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; transmitting the user's username, password and one time passcode value to the second party's communications device via the communications system to request access to a resource.
In accordance with rules of provision of service and or legislation access to the resource can be provided or facilitated.
In accordance with another aspect of the invention, the remote user transmits their username, password and one time passcode value to the second party's communication device via the communications network when requesting access to the controlled resource to identify themselves and to confirm their location; wherein the second party generates a number of possible one time passcodes based upon the username, password, permitted locations from which the resource can be accessed and any other appropriate data required for the correct generation of the next one time passcode values; the password and remote user's location is validated in the event that one of the one time passcodes is the same as the passcode sent by the remote individual whereby the location of the remote user is validated; wherein in the event that the one time passcode value is determined to be correct then the necessary two-factor authentication of the remote user can thereby be achieved subject to the remote user knowing the password, being in a permitted location and using the remote user's device.
In accordance with another aspect of the invention, there is provided a system of validating a user's location in a communications system operable to ensure user's location validation, the system comprising a communications network, a method of determining the geographic location of the remote user, a mobile communications device, and a remote user; wherein the remote user is connected to the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable of retaining data which is related to the location of the remote user and shared information required for the generation of one time passcodes; the second party having a communications device and a memory operable to store the permitted locations of the remote user with respect to a username for the remote user, their password and any other appropriate data required for the correct generation of one time passcodes; wherein the remote user is operable to: i) extract a value representing the location of the remote user from within the mobile communications device; ii) generate a one time passcode value using a one time passcode generating algorithm using the location value from the data available on the remote user's mobile communications device by combining the location data with the user's password and other appropriate data using a suitable algorithm to generate a one time passcode value iii) transmit the remote user's username, password and one time passcode value to the second party's communication device via the communications network; wherein the second party using a communications device, is operable to: i) receive a password, username and one time passcode from the remote user; ii) generate a number of one time passcodes based upon the remote user's provided username and password combined with any appropriate data required for the generation of valid one time passcodes for each permitted location value; iii) compare the generated one time passcode values with the value received from the remote user.
The system provides a secure communications environment whereby a remote individual can be indentified to the second party and their location can be confirmed to be within the list of locations permitted by the second party. The information regarding the location the remote user is currently using is provided based upon the one time passcode entered by the remote user. A mathematical characteristic of one time passcode algorithms is that changing a single bit of data at certain points in the generation algorithm results in a different sequence of one time passcode values being generated.
This characteristic can be used to signal to the second party location the remote user is using to access the service. If there are n different locations permitted to the remote user then by encoding n bits of data it is possible to create n different one time passcodes. This system allows the remote user to trade off security against functionality rather than a single one time passcode being valid there may be up to n values that would be considered valid during the authentication process.
This arrangement means that a two-factor authentication process can be created based upon what the person knows and has -namely their password and the telecommunications device but authentication will only occur when they are at permitted locations.
The mobile communications device may be a mobile phone, a personal digital assistant or a computer, for example.
The present invention thus provides a means by which a remote user can be identified to be at a particular location using two-factor authentication by a second party. A location value is used to generate a one time passcode that can be securely passed to a communications device as and when required and validated against a set of locations permitted by the third party.
The present invention, by enabling a location of a mobile or remote user to be confirmed can enable location based services to be accessed whether as determined by law or by service permission accessibility. In the event that a transaction is performed or attempted, national tax agencies can be advised whereby revenue bodies can be informed.
DECRIPTION OF THE DRAWINGS
Figure 1 illustrates schematically one communications network according to the invention.
Figure 2 is a flowchart illustrating one method of confirming the location of a remote user in accordance with one embodiment of the invention.
DETAILED DESCRIPTION OF THE INVENTION
In order to provide a better understanding of the present invention an embodiment of the invention will now be described. It will be apparent, however, to one skilled in the art, that the present invention may be practised without these specific details. This should not be construed to limit the present invention, but should be viewed merely as an example of a specific way in which the invention can be implemented. Well known features have not been described in detail so as not to obscure the present invention.
With reference to Figure 1, there is shown a schematic diagram wherein a remote user 13 employs a mobile device 14 operating within a cellular area of coverage 15 as defined by the radio base station 16 in a cellular radio network 17. The remote user communicates using their mobile device across a communications network 11 to a second party's server 10. The remote user's mobile device 14 receives location information from the satellite 18. It will be appreciated that the communications network could be provided by other means -for example, the mobile device could be connected to the third party's server via a fixed telephone line or by satellite communications, the exact method of communicating with the second party's server is not critical.
The mobile device may, in fact be a number of landline telephones provided with or adapted to connect to a memory relating to the remote user or individual or a single landline telephone, laptop digital personal assistant or the like equipped with a memory that a remote user may take with him from site to site. Equally, the remote user 13 may utilise a remote terminal 12 connected via a communications network 11 to the second party's server.
That is the remote terminal may comprise a mobile device 14, a fixed terminal 12, a personal digital assistant, a laptop or other telecommunications device, which has a memory facility, either within a hard drive, or separately connected or installed such as a chip, akin to a SIM card. It will be appreciated that the mobile device may receive location information by other means -for example, the mobile device could establish location information from the radio base station 16 in a cellular radio network 17, or by a local transmitter specifically provided for the purpose, the exact method of obtaining the location information is not critical.
The second party server confirms authenticity of the remote user connected to the communication network that requires location data to be provided by the remote user before access is granted.
With reference to Figure 2, when the remote user wishes to use the services of the second party, they will connect to the second party's server and provide their two-factor authentication data. Their mobile device will get the value of the geographical location from where the user wishes to make the connection, 100. The remote user will enter the password they use to generate a one time passcode, 110, and the mobile device will then generate the one time passcode using the password, the geographical location value and any other information it may have stored in order to generate valid one time passcodes, 120. The user then send their username, password and one time passcode value to the second party across the communications network, or by other suitable means, 130.
When the second party receives the username, password and one time passcode values from the remote user via the communications network, or other suitable means, they recover a list of permitted location values associated with the username from memory along with any other information required to calculate valid one time passcodes, 140. The second party then generates a list of one time passcode values for each location using all of the information necessary, 150. The list of generated values is then compared with the one time passcode value sent by the remote user, 160. If the value send by the user is the same as one of the values generated by the second party then the user has been correctly authenticated and found to be located at a permitted location, the remote user is then granted access, 180. If the value sent by the remote user is not the same as any of the values calculated by the second party then the user has not provided correct information or in not in a location from which access can be granted so authentication has failed and the remote user is denied access.
Claims (5)
- CLAIMS1. In accordance with a first aspect of the invention, there is provided in a communications system comprising at least one mobile communications device, a method of validating a remote user's location, wherein the remote user can be connected to a second party via the network via a communications device capable of being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable to retain data which is related to the location of the remote user and shared information required for the correct operation of the one time passcode generation; the second party having a communications device and a memory operable to store the permitted location of the remote user with respect to a username for the remote user, their password, username and any other appropriate data required for the correct generation of the one time passcode generation; said method comprising the steps of: determining the geographic location of the remote user; generating a one time passcode value using a one time passcode generating algorithm by extracting the location value from the data available on the remote user's mobile communications device; combining the location data with the remote user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; transmitting the user's username, password and one time passcode value to the second party's communications device via the communications system to request access to a resource.
- 2. A method in accordance with claim 1, in which there is provided a subsequent step comprising the second party's communication device receiving the username, password and one time passcode value from the remote user requesting access to a resource, to identify themselves and to confirm their location; wherein the second party gets a list of permitted location values based upon username provided and all other information required to generate the next one time passcode values; wherein the second party generates a list of all permitted next one time passcode values based upon the locations permitted to the remote user; wherein the event that the generated list of permitted next one time passcode values contains the same value as that received from the remote user in this instance then the necessary two-factor authentication of the remote user can thereby be achieved subject to the remote user knowing the password and using the remote user's mobile device from a location that is permitted to the remote user.
- 3. A system operable to provide validation of a user's location in a communications system to ensure user's location permitted, the system comprising a communications network, a method of determining the geographic location of the remote user, a mobile communications device, and a remote user; wherein the remote user is connected to the network via a mobile communications device operable to being programmed to generate one time passcodes with respect to the remote user based upon their location, the device having a memory operable of retaining data which is related to the location of the remote user and shared information required for the generation of one time passcodes; wherein the second party having a communications device and a memory operable to store the permitted locations of the remote user with respect to a username for the remote user, their password and any other appropriate data required for the correct generation of one time passcodes; wherein the remote user is operable to: i) extract a value representing the location of the remote user from within the mobile communications device; ii) generate a one time passcode value using a one time passcode generating algorithm using the location value from the data available on the remote user's mobile communications device by combining the location data with the user's password and other appropriate data using a suitable algorithm to generate a one time passcode value; iii) transmit the remote user's username, password and one time passcode value to the second party's communication device via the communications network; wherein the second party using a communications device, is operable to: i) receive a password, username and one time passcode from the remote user; ii) generate a number of one time passcodes based upon the remote user's provided username and password combined with any appropriate data required for the generation of valid one time passcodes for each permitted location value; iii) compare the generated one time passcode values with the value received from the remote user.
- 4. A system according to claim 3, wherein the remote user can communicate their location to the second party using a variation of the one time passcode value.
- 5. A system according to claim 3 or 4, wherein the remote device is one of a mobile phone, a personal digital assistant or a computer connected to location confirmation apparatus a fixed line telephone connected to location confirmation apparatus.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0817785A GB2463732A (en) | 2008-09-30 | 2008-09-30 | A method and system of controlling access to a resource dependent on the location of the user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0817785A GB2463732A (en) | 2008-09-30 | 2008-09-30 | A method and system of controlling access to a resource dependent on the location of the user |
Publications (2)
Publication Number | Publication Date |
---|---|
GB0817785D0 GB0817785D0 (en) | 2008-11-05 |
GB2463732A true GB2463732A (en) | 2010-03-31 |
Family
ID=40019715
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB0817785A Withdrawn GB2463732A (en) | 2008-09-30 | 2008-09-30 | A method and system of controlling access to a resource dependent on the location of the user |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2463732A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9292670B2 (en) | 2012-02-29 | 2016-03-22 | Infosys Limited | Systems and methods for generating and authenticating one time dynamic password based on context information |
WO2017196468A1 (en) * | 2016-05-13 | 2017-11-16 | Symantec Corporation | Systems and methods for location-restricting one-time passcodes |
WO2021158945A1 (en) * | 2020-02-06 | 2021-08-12 | Jpmorgan Chase Bank, N.A. | Systems and methods for authentication using dynamic, machine-readable authentication tokens |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007024170A1 (en) * | 2005-08-23 | 2007-03-01 | Smarttrust Ab | Method for controlling the location information for authentication of a mobile station |
US20070184817A1 (en) * | 2002-09-12 | 2007-08-09 | Jeyhan Karaoguz | Location-based transaction authentication of wireless terminal |
-
2008
- 2008-09-30 GB GB0817785A patent/GB2463732A/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070184817A1 (en) * | 2002-09-12 | 2007-08-09 | Jeyhan Karaoguz | Location-based transaction authentication of wireless terminal |
WO2007024170A1 (en) * | 2005-08-23 | 2007-03-01 | Smarttrust Ab | Method for controlling the location information for authentication of a mobile station |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9292670B2 (en) | 2012-02-29 | 2016-03-22 | Infosys Limited | Systems and methods for generating and authenticating one time dynamic password based on context information |
WO2017196468A1 (en) * | 2016-05-13 | 2017-11-16 | Symantec Corporation | Systems and methods for location-restricting one-time passcodes |
WO2021158945A1 (en) * | 2020-02-06 | 2021-08-12 | Jpmorgan Chase Bank, N.A. | Systems and methods for authentication using dynamic, machine-readable authentication tokens |
Also Published As
Publication number | Publication date |
---|---|
GB0817785D0 (en) | 2008-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9578025B2 (en) | Mobile network-based multi-factor authentication | |
EP2479957B1 (en) | System and method for authenticating remote server access | |
US8646063B2 (en) | Methods, apparatus, and computer program products for subscriber authentication and temporary code generation | |
US8896416B1 (en) | Utilizing a mobile device to operate an electronic locking mechanism | |
Zhang et al. | Location-based authentication and authorization using smart phones | |
US20070209081A1 (en) | Methods, systems, and computer program products for providing a client device with temporary access to a service during authentication of the client device | |
US11176237B2 (en) | Modifying security state with secured range detection | |
CN103249045A (en) | Identification method, device and system | |
US9699656B2 (en) | Systems and methods of authenticating and controlling access over customer data | |
US20210234850A1 (en) | System and method for accessing encrypted data remotely | |
WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
US20180234418A1 (en) | Method and apparatus for facilitating access to publish or post utilizing frictionless two-factor authentication | |
CN110278084B (en) | eID establishing method, related device and system | |
CN103679000A (en) | Apparatus and method for remotely deleting critical information | |
US9443069B1 (en) | Verification platform having interface adapted for communication with verification agent | |
US20160373442A1 (en) | User identity based on location patterns of non-associated devices | |
CN108966232B (en) | Service network-based wireless Internet of things physical layer hybrid authentication method and system | |
WO2019173620A1 (en) | Method and apparatus for facilitating frictionless two-factor authentication | |
GB2463732A (en) | A method and system of controlling access to a resource dependent on the location of the user | |
EP2482575A1 (en) | Authenticating and localizing a mobile user | |
JP5004635B2 (en) | Authentication device, authentication system, broadcast device, authentication method, and broadcast method | |
US11763309B2 (en) | System and method for maintaining a fraud risk profile in a fraud risk engine | |
US9723436B2 (en) | Mobile device location | |
EP3864878B1 (en) | Method for accessing data or a service from a first user device and corresponding second user device, server and system | |
WO2019191369A1 (en) | Method and apparatus for facilitating access to publish or post utilizing frictionless two-factor authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |