GB2547231A - Apparatus, method and computer program product for use in authenticating a user - Google Patents

Apparatus, method and computer program product for use in authenticating a user Download PDF

Info

Publication number
GB2547231A
GB2547231A GB1602468.9A GB201602468A GB2547231A GB 2547231 A GB2547231 A GB 2547231A GB 201602468 A GB201602468 A GB 201602468A GB 2547231 A GB2547231 A GB 2547231A
Authority
GB
United Kingdom
Prior art keywords
msisdn
user
authentication
enterprise service
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1602468.9A
Other versions
GB2547231B (en
GB201602468D0 (en
Inventor
Fielder Nicholas
Patrikios Nestor
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vodafone IP Licensing Ltd
Original Assignee
Vodafone IP Licensing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vodafone IP Licensing Ltd filed Critical Vodafone IP Licensing Ltd
Priority to GB1602468.9A priority Critical patent/GB2547231B/en
Publication of GB201602468D0 publication Critical patent/GB201602468D0/en
Publication of GB2547231A publication Critical patent/GB2547231A/en
Application granted granted Critical
Publication of GB2547231B publication Critical patent/GB2547231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Abstract

In multi-factor authentication (MFA) systems it is known to use messages via cell phones and similar to provide one authentication factor. Registration method - a mobile network operator (MNO) server 120 receives a user ID (e.g. email address) 302 from an enterprise authentication system 301, transmits a registration token 305a,b to a user who responds by returning the token over a packet mobile network. The network performs header enrichment to add a Mobile Station International Subscriber Directory Number (MSISDN) (i.e. a phone number) to the packet. The MNO server extract the MSISDN, associates with the user-ID and returns it to the enterprise 306. The MSISDN is effectively endorsed by the MNO since it provides it through the header enrichment. Authentication method - a user ID with a registered MSISDN is requested 308. The MNO servers transmits an authentication token to a user ID 309a,b, the user returns the token over the cellular packet network where and MSISDN is added using header enrichment. The MNO compares the registered and enriched MSISDN and returns an authenticated yes/no response to the enterprise depending on the match. Alternative registration using SMS not header enrichment is also claimed.

Description

APPARATUS, METHOD AND COMPUTER PROGRAM PRODUCT FOR USE IN
AUTHENTICATING A USER
FIELD OF THE DISCLOSURE
[0001] The present application relates to apparatuses, methods and computer program products for use in authenticating a user, in particular, the application relates to authenticating a user of an enterprise service using a Mobile Station international Subscriber Directory Number (MSISDN).
BACKGROUND
[0002] Access to data and computing resources and services can thesedays advantageously be provided to users over the Internet allowing the benefits of those resources to be gained through suitable Internet-connected devices from a variety of networks and locations throughout the world. In this regard, organisations such as companies often themselves, or together with service providers of enterprise systems, provide Internet-accessible data and computing resources that implement enterprise services to allow their workforce, agents, suppliers and clients to interact with and get the benefit of these enterprise services.
[0003] For example, a company may provide an Internet-accessible email service or document management service for use by its employees. Generally, access to these services is controlled through specified servers which may be on the premises of the providing organisation, or that of a specified third party, by which the means of access to the resources can be defined and managed more readily by the organisation. However, as more and more enterprise services become hosted in the cloud, for example through third party cloud services providers, access to these enterprise services will be through more public-facing interfaces, which places an even greater emphasis on user access control.
[0004] Indeed, control and security of user access is complicated further by the increasing prevalence of the provision of user access to enterprise service resources through a range of different devices and networks. For example, portable electronic devices in the form of smart phones wirelessly connected to a cellular telecommunications network providing data communications with the Internet are now widely used by users desiring access to Internet-accessible enterprise services and resources. Further, the increasing practice of organisations allowing employees to “bring your own device” to the workplace to gain access to secure enterprise resources and applications further increases at least the perceived vulnerability of secure access to enterprise services because those employees personal devices are generally not managed or operated by the IT security administrators of the organisation. Thus the security of those devices can be vulnerable if compromised by theft or malware.
[0005] As a result, the range of different means of access to enterprise services now available to users which are outside of the direct control of organisations places a greater importance on the reliability and security of user access control.
[0008] Access to the enterprise services and resources needs to be governed only to specific users. For this, each user is typically provided access to the enterprise service through a user account which represents a digital identity of the user in the domain of the system. A user’s account allows a user to authenticate his or her identity to the system providing access to the enterprise services and to receive authorised access to the data and computing resources provided thereby. User accounts also provide a mechanism for accounting, security, logging and resource management.
[0007] To log into a user account to assume control of the user’s digital identity in the system, the user is required to authenticate his or her identity to the system. This is achieved by requiring the user to provide one or more credentials to the system that should only be available to that specific user.
[0008] A particularly effective way of authenticating the identity of a user desiring access to an enterprise service is through two factor authentication. In two factor authentication, a user logging onto an enterprise service is required to supply credentials from two different authentication factors before user’s identity can be authenticated and access to the resource can be granted through the digital identity of the user account. Each authentication factor represents a different type of credential that is either a physical object in possession of the user (such as a key fob generating a secret token), a secret known to the user (such as a username and password combination), or some physical characteristic of the user (such as a fingerprint). Two factor authentication is thought to be more reliable because an unauthorised actor is unlikely to be able to supply more than one authentication factor required to gain access to the resources. However, access to resources via two factor authentication is often less convenient and more problematic for users is that the user is required to provide more than one credential which in many cases requires the user to carry an additional physical object such as a key fob at all times. In general, it would be desirable for providers of enterprise systems to enable reliably secure and authenticated access to users in as convenient a manner as possible.
[0009] It is in the above context that the present disclosure has been devised.
SUMMARY OF THE DISCLOSURE
[0010] The devisers of the present disclosure have realised that, as enterprise service users will typically have personal smart phones which they will generally keep in their possession, these smart phones could be used to provide a convenient mechanism for user authentication to facilitate secure access to enterprise resources.
[0011] Thus, viewed from one aspect, the present disclosure provides apparatus for use in authenticating a user of an enterprise service using a Mobile Station international Subscriber Directory Number (MSISDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, the apparatus comprising one or more servers configured to, individually or together: cause an MSISDN registration token to be sent electronically to a user; receive, from a user equipment of the user of the enterprise service via a wireless cellular telecommunications network, data packets including the MSISDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSISDN registration token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include at least the user’s MSISDN; extract the verified MSISDN from the enriched the header of the data packets; map the MSISDN to an identifier of a digital identity of the user in the enterprise service based on the token and the extracted MSISDN; and send the authenticated MSISDN to an enterprise service identity provider to allow registration of the MSISDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the identifier serving as the digital identity of the user.
[0012] By the above aspect, a service can be provided enabling the registration of an enterprise service user’s MSISDN, which identifies the users service subscription to a cellular telecommunication network provider, as an authentication factor related to authentication of an identifier serving as the digital identity of the user in the enterprise service. This is achieved through interaction of the user’s device with an MSISDN registration token, which causes the device to send packet data, for example in the form of an HTTP Request, to a server via the wireless cellular telecommunication network. A server in for example the core of the wireless cellular telecommunication network then enriches the header of the packet data to include the user’s MSISDN. This header enrichment technique is secure and reliable and immediately validates the MSISDN to the authentication service, and also is convenient for the user as it avoids the user needing to manually input the MSISDN for validation, and it also avoids a subsequent step of authentication through, for example, transmission by the network of a Short Message Service (SMS) message to the MSISDN including a further validation token for the user to input. In this way, the user’s MSISDN of his subscription can be registered for use as an authentication factor in a two factor authentication process for an enterprise service, which can be achieved simply and conveniently by the user simply interacting with an MSISDN registration token on the device and sending the packet data to the registration system through the wireless cellular communications network. As the users MSISDN typically stays the same over time as the user changes smart phones (i.e. moves a SIM card from one phone to the next) and changes SIM cards (provided the MSISDN is ported), the use of the MSISDN is more portable and therefore more stable as a reusable authentication factor. Further, as it is the network that is applying the MSISDN to the packet data through header enrichment, the indication of the MSISDN is typically more accurate than if it were applied to the packet data by the phone or by the user. Further, the use of a user’s MSISDN as a portable authentication factor avoids the need for the user to carry a special additional physical security token.
[0013] Enterprise systems typically identify users of the enterprise service using an email address as the identifier of the digital identity. However, telecommunication network providers use a Mobile Station international Subscriber Directory Number (MSISDN) to identify users of the network. By the present disclosure, a link between an enterprise system to a telecommunications network is created by which it is possible to identify an enterprise user using an MSISDN.
[0014] In embodiments, in order to cause an MSISDN registration token to be sent electronically to a user, one or more of the servers may be configured to cause an email including an MSISDN registration token to be sent to an email address serving as an authentication factor of an identity of a user of an enterprise service or to be generated in a web frame to be served to a browser of a device in which the user is trying to access the enterprise service.
[0015] Where the enterprise user is identified to the enterprise service by their email address, this can be passed to the MSISDN authentication server for use in the MSISDN registration (and authentication) services, in this way, the MSISDN registration token can be sent electronically to the user by sending an email to the email address. Alternatively, the MSISDN authentication server may generate a web frame to be provided to a browser of the device trying to access the enterprise service. Alternatively, or in addition, a specific application for facilitating the MSISDN authentication may be installed on the user’s smart phone or other device trying to gain access to the enterprise service, and the MSISDN authentication server may send the MSISDN registration token electronically to the respective smart phone or other device for presentation to the user in the specific application.
[0018] In embodiments, the one or more servers may be further configured to: receive, from an enterprise service identity provider, an email address of a user of the enterprise service serving as the identifier of the digital identity of the user of the enterprise service.
[0017] in embodiments, in order to map the MSISDN to an identifier of a digital identity of the user in the enterprise service, one or more of the servers may be configured to map the MSISDN to an email address serving as the identifier of the digital identity of the user of the enterprise service based on the token and the extracted MSISDN.
[0018] In embodiments, the MSISDN registration token may include a QR code and/or a hyperlink operable by a user equipment to cause the user equipment to send the data packets to the one or more servers including the MSISDN registration token. The hyperlink may be embedded in the QR code, and the QR code may be an image which, if interacted with, serves as a hyperlink. In this way, the enterprise user may operate their smart phone to interact with the QR code or the hyperlink by, for example, scanning the QR code from a display in a browser or an email of another device to trigger the hyperlink, or the user may scan or otherwise interact with the QR code or hyperlink directly on the user’s smart phone itself. This interaction causes the smart phone to send packet data through the core network of the wireless cellular telecommunications network, were its header is enriched with the user’s MSISDN, over the Internet to the MSISDN authentication server where the MSISDN registration process for its use as an authentication factor can be completed.
[0019] In embodiments, one or more of the servers may be located in the core of the wireless cellular telecommunications network and is further configured to: enrich a header of data packets originating from a user equipment to include at least the user’s MSISDN.
[0020] in embodiments, the received data packets may include an HTTP request, and wherein the header of the HTTP request is enriched with the user’s MSISDN.
[0021] In embodiments, one or more of the servers is further configured to: receive, from a user equipment of the user of the enterprise service via a telecommunications network, data packets including the MSISDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSISDN registration token, the telecommunications network not being configured to enrich the header of the data packets to include at least the user’s MSISDN; serve to the user equipment a web form for display on a browser of the user equipment, through which the user is to provide the user’s MSISDN in reply; receive, in reply from the user equipment, data packets indicating the user’s MSISDN; cause a Short Message Service message including a MSISDN confirmation token to be sent, routed to the indicated MSISDN; receive, in reply from the user equipment, data packets indicating the MSISDN confirmation token; map the MSiSDN to the identifier serving as the digital identity of the user of the enterprise service based on the MSISDN confirmation token and the indicated MSISDN; and send the authenticated MSISDN to an enterprise service identity provider to allow registration of the MSiSDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the identifier serving as the digital identity of the user, in this way, when packets sent the authentication server are not enriched with the MSiSDN, the MSISDN authentication server is configured to serve to the user equipment a web form for acquiring the MSISDN from the user by a manual input, which is then subsequently confirmed by sending an SMS token to the MSiSDN which the user can interact with to confirm the MSISDN to the MSISDN authentication server.
[0022] Viewed from another aspect, the present disclosure provides, optionally in embodiments of the above-described apparatus, apparatus for use in authenticating a user of an enterprise service using a Mobile Station International Subscriber Directory Number (MSiSDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, the apparatus comprising one or more servers configured to, individually or together: receive, from an enterprise service identity provider, an MSISDN for authentication, the MSiSDN for authentication being an MSISDN of a user of the enterprise service and serving as an authentication factor of the digital identity of the user of the enterprise service; cause an MSISDN authentication token to be sent electronically to a user; receive, from a responding user equipment, data packets including the MSiSDN authentication token, the data packets having been sent by the responding user equipment pursuant to an interaction in the responding user equipment with the SMS message, email or web frame including the MSISDN authentication token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include an identification of the MSISDN associated with a subscription of the user of the responding user equipment to a wireless cellular telecommunications network; check whether the MSiSDN associated with the subscription of the user of the responding user equipment to a wireless cellular telecommunications network authenticates by matching with the MSISDN for authentication; respond to the enterprise service identity provider with an indication of whether the MSISDN for authentication is authenticated.
[0023] in this way, once the enterprise service users MSISDN is registered with the MSiSDN authentication server, the possession by the user of a user equipment having the SIM card corresponding to the registered MSISDN can be tested by the MSISDN authentication server sending to the user electronically an MSISDN authentication token. By interacting with the MSISDN authentication token, packet data may be sent by the user equipment through the wireless cellular telecommunications network to the MSISDN authentication server. Header enrichment of the packet data by the wireless cellular telecommunications network allows the MSISDN authentication server to confirm that the user possesses the user equipment and so authenticate the user’s identity to a request enterprise service in an authentication factor testing procedure as part of a two or multifactor authentication system.
[0024] in embodiments, in order to cause an MSISDN authentication token to be sent electronically to a user, one or more of the servers may be configured to cause an MSISDN authentication token to be sent by a Short Message Service message to the MSISDN or by email to an email address serving as another authentication factor of the digital identity of the user of the enterprise service or to be generated in a web frame to be served to a browser of a device in which the user is trying to access the enterprise service.
[0025] in embodiments, the MSISDN authentication token may include a QR code and/or a hyperlink operable by a user equipment to cause the user equipment to send the data packets to the one or more servers including the MSISDN authentication token.
[0028] Viewed from another aspect, the present disclosure provides a method for use in authenticating a user of an enterprise service using a Mobile Station international Subscriber Directory Number (MSISDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, the method comprising, in one or more servers: causing an MSISDN registration token to be sent electronically to a user; receiving, from a user equipment of the user of the enterprise service via a wireless cellular telecommunications network, data packets including the MSISDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSISDN registration token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include at least the user’s MSISDN; extracting the verified MSISDN from the enriched the header of the data packets; mapping the MSISDN to an identifier of a digital identity of the user in the enterprise service based on the token and the extracted MSISDN; and sending the authenticated MSISDN to an enterprise service identity provider to allow registration of the MSISDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the identifier serving as the digital identity of the user.
[0027] Viewed from another aspect, the present disclosure provides, optionally in embodiments of the above-described method, a method for use in authenticating a user of an enterprise service using a Mobile Station International Subscriber Directory Number (MSISDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, the method comprising, in one or more servers: receiving, from an enterprise service identity provider, an MSISDN for authentication, the MSISDN for authentication being an MSISDN of a user of the enterprise service and serving as an authentication factor of the digital identity of the user of the enterprise service; causing an MSISDN authentication token to be sent electronically to a user; receiving, from a responding user equipment, data packets including the MSISDN authentication token, the data packets having been sent by the responding user equipment pursuant to an interaction in the responding user equipment with the SMS message, email or web frame including the MSISDN authentication token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include an Identification of the MSISDN associated with a subscription of the user of the responding user equipment to a wireless cellular telecommunications network; checking whether the MSISDN associated with the subscription of the user of the responding user equipment to a wireless cellular telecommunications network authenticates by matching with the MSISDN for authentication; responding to the enterprise service identity provider with an indication of whether the MSISDN for authentication is authenticated.
[0028] Viewed from another aspect, the present disclosure provides computer readable medium, optionally non-transitory, comprising instructions which when executed by one or more processors of one or more servers cause the one or more servers to be configured as in the apparatuses described above in relation to the above aspects and embodiments of the present disclosure.
[0029] Thus by the present disclosure, apparatuses, methods and computer program products are provided which can be used to link an enterprise system to a telecommunications system such that it is possible to identify an enterprise user using an MSISDN and to authenticate that enterprise user by testing their possession of a user equipment links to the registered MSISDN. The disclosure provides a mechanism to link a MSISDN to an enterprise system digital identity with high integrity using a MSISDN header added by the network. If the authentication system is required to function on networks that do not support MSISDN header enrichment then the SMS token validation can be utilised instead, in the disclosed authentication system, the end user equipment can interact with the MSISDN registration and authentication tokens in a number of ways, for example, by scanning a QR code and/or by interaction through a browser and/or by utilising a bespoke application to transmit the token from the device that receives the token to the MSISDN authentication service. The use of a bespoke application automates the process and thus reduces the level of interaction improving the user experience. Further, by the MSISDN authentication system, using the MSISDN gives the enterprise service operator and the authentication system operator the capability that the MSISDN can be automatically revoked in the network thus automatically untrusting access when the SIM is blocked. An advantage of the solution is that the user of the enterprise system requiring email identifiers as authentication factor for accessing the enterprise service can securely access the relevant enterprise service associated with their email address through a two factor authentication process, by using a smart phone where the MSiSDN of the SiM in that smart phone is linked authentically to their email address.
[0030] The optional features described above in relation to embodiments of the apparatus of one aspect of the disclosure, are also to be considered within the scope of the disclosure of the present application as being provided in embodiments of the above-described method and computer readable medium of the other aspects of the disclosure, wherein the apparatus features of the embodiments are to be considered to be disclosed when adapted to implement their method of software equivalents.
BRIEF DESCRIPTION OF THE DRAWINGS
[0031] Certain embodiments of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which: [0032] Figure 1 show's a schematic illustration of the use of an apparatus, including an MSiSDN authentication server, for use in authenticating a user of an enterprise service in accordance with an embodiment of the present disclosure; [0033] Figure 2 shows a schematic illustration of an MSiSDN authentication server in accordance with an embodiment of the disclosure; and [0034] Figure 3 shows a schematic illustration of the MSISDN registration process the MSiSDN authentication process in accordance with embodiments of the present disclosure.
DETAILED DESCRIPTION
[0035] The detailed description set forth below in connection with the appended drawings is intended as a description of presently preferred embodiments of the invention, and is not intended to represent the only forms in which the present invention may be practised. It is to be understood that the same or equivalent functions may be accomplished by different embodiments that are intended to be encompassed within the spirit and scope of the invention. Furthermore, terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that apparatuses and method steps that comprises a list of elements or steps does not include only those elements but may include other elements or steps not expressly listed or inherent. An element or step proceeded by “comprises ...a” does not, without more constraints, preclude the existence of additional identical elements or steps that comprises the element or step.
[0038] Figure 1 shows a schematic of a network topology for implementing an apparatus 100, including an MSISDN authentication server 120, for use in authenticating a user of an enterprise service in accordance with an embodiment of the present disclosure, [0037] A user 101, who may be an employee of an organisation, is desiring access to an internet-accessible enterprise service provided by the organisation for the benefit of its employees. The enterprise service is provided by the employer implemented by an enterprise web service server 110 coupled to the Internet 108. The enterprise service provided thereby may be, for example, an Internet accessible email service or an Internet accessible web service providing a portal for interacting with a database 115 or other resource of the company. To attempt to gain such access, the use 101 operates an Internet accessible electronic device which may be, in the example shown, a desktop personal computer 102, or, in other embodiments a smart phone 103, to, for example, point a browser of the device at a uniform resource locator (URL) which redirects to an IP address of the enterprise web service server 110. Alternatively, a dedicated application such as a thin client application may be implemented in the desktop personal computer 102 and the smart phone 103 to communicate via the Internet 108 enterprise web service server 110 to enable the user 101 to interact therewith. The desktop personal computer 102 may be coupled with the internet 108 by a wired connection, whereas the smart phone 103 may communicate the Internet through a wireless cellular telecommunications network comprising a radio access network 104 and a core network 105.
[0038] The enterprise web service server 110 provides the user 101 with a user account and a logon process to ensure the security of the enterprise service by authenticating the identity of the user 101 against a digital identity representative of the user so as to exclude unauthorised actors from gaining access.
[0039] In the example embodiment, as is often the case, the digital identity of the user is identified to the enterprise web service server 110 by means of the user’s email address.
The email address can be validated authenticity confirmed by using an appropriate token to ensure that the email addresses valid and that the user has access to the email I received at the email address. To provide security of access, user also required to input a secret password into the system before the access control components of the enterprise web service server 110 can allow the user 101 to assume his or her digital identity in the enterprise service and to access the resources exposed thereby through his or her user account. The username (i.e, email address) and password combination represent a pair of credentials that the user 101 knows and so this is representative of a single authentication factor.
[0040] To further improve the security of the enterprise service, a two- or multi-factor authentication system is put in place to further authenticate the user based on testing whether or not the user attempting to gain access to the enterprise service has possession something physical that is registered to the user, in this case, the enterprise web service server 110 is configured to refer the digital identity of the user, or at least an identifier thereof (preferably addressable identifier such as an email address), to an MSISDN authentication server 120 which is configured to firstly be operable to, together with a wireless telecommunications network, firstly register the user’s MSISDN to the user’s digital identity and the enterprise service and to subsequently, on a user’s attempted access to the enterprise service, authenticate the user by testing whether or not the user is in possession of a user equipment 103 containing a SiM card linked to the MSISDN registered to that user.
[0041] The structure and operation of the MSISDN authentication server 120 and apparatus in the wireless cellular telecommunications network to enable this MSISDN registration and authentication will now be described.
[0042] The user is in possession of a smart phone 103, or, if the terminology of wireless cellular telecommunications networks, user equipment (UE) which he or she uses for voice and data communications. To achieve data communication with the internet 108, the smart phone 103 communicates wirelessly with a wireless cellular telecommunications network comprising a Radio Access Network 104 which provides a wireless connection between the smart phone 103 and the wireless cellular telecommunications network, and which is coupled to a core network 105 of the wireless cellular telecommunications network which provides a connection between the wireless cellular telecommunications network and packet switched networks such as the Internet 108 and that manages data traffic in communication with outside resources accessible via the Internet 108. The wireless cellular telecommunications network may be a GPRS, UMTS or LTE network configured to provide voice and data communications in accordance with the 3G or 4G Long Term Evolution/ Long Term Evolution - Advanced (LTE/LTE-Advanced) telecommunications standards, or any other appropriate future standard. The radio access network 104 comprises a plurality of base stations, known as eNodeBs in LTE networks, implement a radio access technology by which provide the radio access network (RAN) 104 comprising a number of radio cells, which acts as an air interface to allow mobile radio communications with user portable electronic devices or user equipment such as smart phone 103 within those cells by establishing radio bearers therebetween. Besides smart phones, the mobile electronic devices may be tablets, laptops, or another appropriate electronic device for connecting to the wireless cellular telecommunications network to allow a user data communication with the internet therethrough.
[0043] Cellular telecommunications network operators provide access to wireless communications using the network by end users taking a subscription with the operator for data and voice communication services. The operators typically provide a user with a Universal Integrated Circuit Card (UICC) (typicaiiy a Subscriber Identity Moduie (SIM) card (not shown)) that securely stores the international mobile subscriber identity (IMSI) field and the related key used to identify and authenticate subscribers on mobile telephony devices to the home location register (HLR) (not shown) in the core network 105.
[0044] To access the subscribed network services, the user must insert the UICC into a wireless cellular network-enabled electronic device, known collectively as the “user equipment”, such as smart phone 103 that then communicates with the cellular telecommunications network using the appropriately-enabled telecommunications protocols for that network and user equipment to perform voice and data plane communications therewith.
[0045] The Home Location Register (HLR) is a server resource that provides a central database that contains details of each subscriber that is authorized to use the core network 105 stores records relating the IMS! of the SIM card of each subscriber to the subscriber’s MSiSDN which is the number used for routing calls to the subscriber. The MSISDN functions as a global title for routing data and voice communications in the core network 105 to the smart phone 103 carrying the SIM. In this way, the user 101 of an smart phone 103 may, using a browser program stored in a memory of the smart phone 103, send a data request in the form of a hypertext transfer protocol (HTTP) request via the core 105 of the wireless cellular telecommunications network to a web server (such as enterprise service server 110) via the Internet 108 located by a uniform resource locator (URL) to serve to the smart phone 103 content constructed by Hypertext Markup Language (HTML) as a website. The core network 105 routes the content of the website to the smart phone on 03 using the MSiSDN of the users subscription where it is displayed in a graphical user interface of the browser on a display screen thereof (not shown).
[0048] The core network 108 carries data traffic through a number of nodes therein including an access point node (APN) 106 and a packet gateway (P-GW) 107 which provides connectivity for the UE via the wireless cellular telecommunications network to an external packet data network such as the Internet 108 by being the point of exit and entry of traffic for the UE, [0047] The access point node 106 is configured for header enrichment to add at least the MSISDN of the subscription of the originating user equipment as a field to the HTTP header of all HTTP traffic flowing through the ARM 106 and the P-GW 107.
[0048] Referring now to Figure 2, the MSISDN authentication server 120, which is connected to the Internet 108, will now be described.
[0049] The MSISDN authentication server 120 comprises hardware 121 including one or more processors 122 which may be general-purpose central processing units or, in other embodiments specifically designed application-specific integrated circuits (ASIC), coupled to an input output port 123 arranged to enable data communications with the internet 108 and memory 124 in which the processor is configured to instantiate software for controlling the operation of the MSiSDN authentication server 120. In this regard, the memory 124 includes a software stack including an operating system 125 configured to manage the hardware and software resources of the MSISDN authentication server 120, and application software 128 running on top of the operating system 125 configured for causing the MSISDN authentication server 120 to perform MSISDN registration and authentication functions.
[0050] Specifically, the application software 126 comprises MSiSDN registration software 127 for causing a users MSISDN to be registered to the MSiSDN authentication server 120 and linked to that uses digital identity in the enterprise service, and MSISDN authentication software 128 for subsequent authentication of the user by checking that he or she is in possession of user equipment carrying a SIM card related to the MSISDN registered to the users digital identity.
[0051] The operation of the software by the MSISDN authentication server 120 to provide an MSISDN authentication service in the context of the network shown in Figure 1 will now be described with reference to Figure 3.
[0052] The first step is to create a mapping of an enterprise email address to a MSISDN, which is achieved during a registration process shown in the top half of Figure 3.
[0053] The Enterprise Identity provider 301 (part of the Enterprise Web Service Server 110 that managers enterprise users’ digital identities) supplies, as an identifier of the digital identity of the enterprise user, an email address 302 as an input to the apparatus 100 for use in authenticating an enterprise user, specifically to MSISDN Authentication Server 120 over the internet 108. This is received by the input output port 123 and passed to the application software 128. A check may first be performed to determine whether the email address or other identifier of the identity of the enterprise user already has associated with it a mapped MSISDN. If not, the received email address is passed to the MSISDN registration software module 127 for registration processing.
[0054] In response to receipt of the supplied email, the MSISDN registration software module 127 causes an MSISDN registration token 304 to be sent electronically to the user of the enterprise service. In embodiments, As the identifier of the digital identity passed to the MSISDN authentication server 120 is a handle of the user in an addressable electronic communication system - in this case, the user’s email address (although other forms of addressable electronic communication can be used, such as without limitation, instant messaging, messaging within a social networking platform, etc) - the MSISDN registration software module 127 can cause the MSISDN registration token 304 to be sent electronically to the user in an email as shown in Figure 3. Alternatively, the MSISDN registration token 304 can be sent electronically to the user by being generated in a web frame to be served to a browser of a device, which in this case maybe the desktop possible computer 102, in which the user is trying to access the enterprise service, [0055] The MSISDN registration token 304 includes a QR code and/or a hyperlink operable by the smart phone 103 to cause the smart phone 103 to send the data packets to the MSISDN authentication server 120 including the MSISDN registration token.
[0056] Thus, on receipt of the MSISDN registration token 304 in an email from the MSISDN authentication server 120, to register the user’s MSISDN is authentication factor for accessing the enterprise server, the user then operates his or her smart phone 103 to process the MSISDN registration token 304. The MSISDN registration token 304 is processed either by the smart phone 103 directly, as illustrated in 305a, by clicking the email or the QR code in the email, for example to navigate to a hyperlink embedded therein, if the email is open on the smart phone 103 itself. Alternatively, the MSISDN registration token 304 is processed by the smart phone 103 indirectly, as illustrated in 305b, by scanning a QR code if the email is accessed on another device, such as the device being used to gain access to the enterprise service, in this case desktop personal computer 102.
[0057] By the above interaction of the smartphone 103 with the MSISDN registration token 304, an HTTP request including the MSISDN registration token 304 is sent by the smart phone 103 to MSISDN authentication server 120. This is passed to the MSISDN registration software module process 127, schematically illustrated to the right in Figure 3.
[0058] Where the core network 105 of the wireless cellular telecommunications network supports header enrichment with the sending user equipment's MSISDN, the HTTP request header will be enriched by the APN 106 to include the user’s MSISDN related to the user’s subscription to the network mapped in the HLR by the SIM card’s I MSI, before the header-enriched HTTP request is sent over the Internet 108 by the P-GW 107 to the MSISDN authentication server 120. In this way, MSISDN of the enterprise user’s device to be used in an authentication process can be reliably and conveniently checked and validated in its relation with the user’s digital identity as indicated by the enterprise identity provider 301. To achieve this, the MSISDN registration software module 127 extracts the verified MSISDN from the enriched the header of the data packets, creates a mapping 306 between the MSISDN to the identifier of a digital identity of the user in the enterprise service (in this case enterprise users email address); and sends the authenticated MSISDN mapping 306 to the enterprise service identity provider 301 in a response 307. This allows registration of the MSISDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the enterprise user’s email address. In this way, the operator of the apparatus 100 for use in authentication of an enterprise user, and specifically the operator of the MSISDN authentication server 120 can offer a service to third-party enterprise identity providers 301 to register authenticated MSISDN mappings 306 to, e.g., enterprise users email addresses, for use in subsequent authentication of enterprise users identities in a two factor authentication process.
[0059] If, in the above described process, header enrichment is not supported in the core network 105, the MSISDN authentication server 120 can discover and validate the MSISDN of the enterprise user’s smart phone 103 by sending an additional SMS token as follows (a process not shown in Figure 3 or Figure 4).
[0060] To discover the MSISDN of the smart phone 103, the MSISDN registration software module 127 serves to the smartphone 103, for example in an HTTP response, a web form for display on a browser of the smartphone 103, through which the user is to provide the user’s MSISDN in reply. In alternative embodiments, the MSISDN authentication server 120 can generate the web form for display on the device through which the enterprise user is trying to access the enterprise service, in this case desktop personal computer 102.
[0061] On receipt, in reply from the smart phone 103, data packets indicating the user’s MSISDN as input manually by the user, the MSISDN registration software module 127 then causes a Short Message Service (SMS) message including a MSISDN confirmation token to be sent. This is routed by the wireless cellular telecommunications network to the indicated MSISDN. On receipt of the SMS including the MSISDN confirmation token, the enterprise user interacts with the MSISDN confirmation token, for example by clicking on an embedded hyperlink therein, which causes an HTTP request including the MSISDN confirmation token to be sent to the MSISDN authentication server 120 through the wireless cellular telecommunications network and the Internet 108.
[0062] On receipt at the MSISDN authentication server 120, in reply from the smartphone 103, of the data packets indicating the MSISDN confirmation token, as above, the MSISDN registration software module 127 then maps the enterprise user’s validated MSISDN to the enterprise users email address, and sends the authenticated MSISDN to email address mapping 306 in a response 307 to the enterprise service identity provider 301.
[0063] The authenticated mapping between the registered users validated MSISDNs and their email addresses (or other identifiers of their digital identities) can be stored at the enterprise identity provider 301 and/or in other embodiments it can be stored at the so as to be accessible by the MSISDN authentication server 120.
[0064] When an enterprise user who has an authenticated MSISDN to email address mapping registered through the above process attempts to access the enterprise service, the enterprise identity provider 301 can call the apparatus 100 to authenticate the user attempting to gain access through checking that they are in possession of a smart phone having a SIM card related to the MSISDN registered authenticated as being registered against that user’s email address. This process is shown in the bottom half of the Figure 3.
[0065] First, the enterprise identity provider 301 sends a request 308 to the MSISDN authentication server 120 to authenticate an MSISDN (or alternatively an email address having a registered authenticated MSISDN mapping stored at the accessible by the MSISDN authentication server 120).
[0066] This is passed to the MSISDN authentication software module 128 which banned provides an MSISDN authentication token 309 electronically to the end user. This can be sent in an SMS message 309a which is routed through the wireless cellular telecommunications network to the MSISDN to be received by the smartphone 103. Alternatively the MSISDN authentication token 309 can be embedded in an http iFrame 309b. This can be served to a browser of a device in which the user is trying to access the enterprise service, in this case the desktop personal computer 102 (although in other cases this may be the smartphone 103 itself). Where the IFrame is to be served to the desktop personal computer 102, it can be provided back to the enterprise identity provider 301 for provision thereto.
[0067] The MSISDN authentication token 309 may include a QR code and/or a hyperlink operable by a user equipment to cause the user equipment to send the data packets to the one or more servers including the MSISDN authentication token 309.
[0068] On receipt of the MSISDN authentication token 309, the enterprise user then operates the smartphone 103 so as to interact with the MSISDN authentication token 309. This may be by the user selecting a hyperlink embedded in the SMS message received that the smartphone 103 by operating the smartphone 103 to scan the QR code having the embedded hyperlink received at the desktop personal computer 102. in response to both these interactions, the smartphone 103 sends, using a browser, an HTTP request through the wireless cellular telecommunications network and the Internet 108 to the MSISDN authentication server 120, [0069] To facilitate the user in interacting with the MSISDN authentication token, the user may be encouraged or required to install on the smartphone 103 a bespoke application. The bespoke application in use, on receipt of the MSISDN authentication token 309, derives the MSISDN authentication token 309 and the relevant link for the end user to interact with. In certain limitations, the bespoke application may have a predefined schema, i.e. VFsmartiD://xyz, where xyz represents that users token to be transferred back to the VF server. Further automation by the bespoke application can be facilitated, to the extent that the 'schema' can parse the SMS on the end user’s behalf, and automatically 'click' that link which transmits the token back to VF.
[0070] If the wireless cellular telecommunications network supports header enrichment the header of the HTTP request will have been enriched APN 106 to include an identification of the MSISDN associated with a subscription of the user of the smartphone 103 before being sent by the PGW 107 to the MSISDN authentication server 120 over the Internet.
[0071] if the wireless cellular telecommunications network does not support header enrichment, then a further MSISDN authentication step may be performed by the MSISDN authentication software module 128 by, for example, sending a further SMS to the smartphone 103 or HTTP iFrame to the test personal computer 102 containing an MSISDN confirmation token that the user must interact with in order to confirm the MSISDN associated with the smart phone 103 to the MSISDN authentication server 120.
[0072] The MSISDN authentication server then responds 310 to the identity provider whether the MSISDN received through the processing by the MSISDN authentication software module 128 matches the requested MSISDN 308 to be authenticated.
[0073] it will be appreciated that whilst various aspects and embodiments of the present invention have heretofore been described, the scope of the present invention is not limited to the particular arrangements set out herein and instead extends to encompass all arrangements, and modifications and alterations thereto, which fail within the scope of the appended claims.
[0074] For example, whilst embodiments described in the foregoing description refer to GPRS 3G-type network infrastructure, it should be noted that the architecture described may equally be deployed in telecommunications networks based on other cellular telecommunication architectures, for example LTE, LTE-Advanced (3GPP Release 10 onwards), future architectures (e.g., 5G), as well as WD-CDMA and WiMAX. The MSISDN authentication server architecture is agnostic to the specific type of Core Network technology or Radio Access Technology used.
[0075] it will also be well understood by persons of ordinary skill in the art that whilst the described embodiments implement certain functionality by means of software, that functionality could equally be implemented solely in hardware (for example by means of one or more ASICs (application specific integrated circuit)) or indeed by a mix of hardware and software. As such, the scope of the present invention should not be interpreted as being limited only to being implemented in software.
[0076] For example, in embodiments, the logical components of the MSISDN authentication server 120 in accordance with aspects of the invention are implemented in a server or across multiple servers having each or together one or more processors using software instructions stored on and one or more computer readable media that store across them instructions which when carried out by one or more of the processors cause the apparatus to instantiate one or more of: the MSISDN registration software module 127; and the MSISDN authentication software module 128. The extent to which software is used to configure hardware in order to implement the logical components of the invention, and the extent to which the hardware is specifically designed and configured to implement the logical components with no or little need for software control, can vary and is not to be considered limiting on the invention. For example, one or more components or sub-components of the MSISDN authentication server 120 may be implemented primarily by specifically configured hardware, whereas other components may be implemented by software controlling more general-purpose hardware. In addition, one or more of the logical components may be spread across one or more hardware components or separate server computers. Alternatively, all the components of the MSISDN authentication server 120 may be implemented in a single server computer.
[0077] Lastly, it should also be noted that whilst the accompanying claims set out particular combinations of features described herein, the scope of the present invention is not limited to the particular combinations hereafter claimed, but instead extends to encompass any combination of features or embodiments herein disclosed irrespective of whether or not that particular combination has been specifically enumerated in the accompanying claims at this time.

Claims (17)

Claims
1. Apparatus for use in authenticating a user of an enterprise service using a Mobile Station International Subscriber Directory Number (MSISDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, the apparatus comprising one or more servers configured to, individually or together: cause an MSISDN registration token to be sent electronically to a user; receive, from a user equipment of the user of the enterprise service via a wireless cellular telecommunications network, data packets including the MSISDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSISDN registration token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include at least the users MSISDN; extract the verified MSISDN from the enriched the header of the data packets; map the MSISDN to an identifier of a digital identity of the user in the enterprise service based on the token and the extracted MSISDN; and send the authenticated MSISDN to an enterprise service identity provider to allow registration of the MSISDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the Identifier serving as the digital identity of the user,
2. Apparatus as claimed in claim 1, wherein, in order to cause an MSISDN registration token to be sent electronically to a user, one or more of the servers is configured to cause an email including an MSISDN registration token to be sent to an email address serving as an authentication factor of an identity of a user of an enterprise service or to be generated in a web frame to be served to a browser of a device in which the user is trying to access the enterprise service.
3. Apparatus as claimed in claim 1 or 2, wherein the one or more servers is further configured to: receive, from an enterprise service identity provider, an email address of a user of the enterprise service serving as the identifier of the digital identity of the user of the enterprise service.
4. Apparatus as claimed in claim 1, 2 or 3, wherein, in order to map the MSISDN to an identifier of a digital identity of the user in the enterprise service, one or more of the servers is configured to map the MSISDN to an email address serving as the identifier of the digital identity of the user of the enterprise service based on the token and the extracted MSISDN.
5. Apparatus as claimed in any preceding claim, wherein the MSiSDN registration token includes a QR code and/or a hyperlink operable by a user equipment to cause the user equipment to send the data packets to the one or more servers including the MSiSDN registration token.
6. Apparatus as claimed in any preceding claim, wherein one or more of the servers is located in the core of the wireless cellular telecommunications network and is further configured to: enrich a header of data packets originating from a user equipment to include at least the user’s MSISDN.
7. Apparatus as claimed in any preceding claim, wherein the received data packets include an HTTP request, and wherein the header of the HTTP request is enriched with the user’s MSISDN.
8. Apparatus as claimed in any preceding claim, wherein one or more of the servers is further configured to: receive, from a user equipment of the user of the enterprise service via a telecommunications network, data packets including the MSiSDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSiSDN registration token, the telecommunications network not being configured to enrich the header of the data packets to include at least the user’s MSISDN; serve to the user equipment a web form for display on a browser of the user equipment, through which the user is to provide the user’s MSISDN in reply; receive, in reply from the user equipment, data packets indicating the user’s MSiSDN; cause a Short Message Service message including a MSISDN confirmation token to be sent, routed to the indicated MSISDN; receive, in reply from the user equipment, data packets indicating the MSiSDN confirmation token; map the MSISDN to the identifier serving as the digital identity of the user of the enterprise service based on the MSiSDN confirmation token and the indicated MSISDN; and send the authenticated MSiSDN to an enterprise service identity provider to allow registration of the MSiSDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSISDN and the identifier serving as the digital identity of the user.
9. Apparatus for use in authenticating a user of an enterprise service using a Mobile Station international Subscriber Directory Number (MSISDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, optionally as claimed in any preceding claim, the apparatus comprising one or more servers configured to, individually or together: receive, from an enterprise service identity provider, an MSISDN for authentication, the MSISDN for authentication being an MSISDN of a user of the enterprise service and serving as an authentication factor of the digital identity of the user of the enterprise service; cause an MSiSDN authentication token to be sent electronically to a user; receive, from a responding user equipment, data packets including the MSiSDN authentication token, the data packets having been sent by the responding user equipment pursuant to an interaction in the responding user equipment with the SMS message, email or web frame including the MSISDN authentication token, the header of the data packets having been enriched by the wireiess cellular telecommunications network to include an identification of the MSISDN associated with a subscription of the user of the responding user equipment to a wireiess cellular telecommunications network; check whether the MSiSDN associated with the subscription of the user of the responding user equipment to a wireiess cellular telecommunications network authenticates by matching with the MSISDN for authentication; respond to the enterprise service identity provider with an indication of whether the MSiSDN for authentication is authenticated.
10. Apparatus as claimed in claim 9, wherein, in order to cause an MSiSDN authentication token to be sent electronically to a user, one or more of the servers is configured to cause an MSISDN authentication token to be sent by a Short Message Service message to the MSISDN or by email to an email address serving as another authentication factor of the digital identity of the user of the enterprise service or to be generated in a web frame to be served to a browser of a device in which the user is trying to access the enterprise service.
11. Apparatus as claimed in claim 9 or 10, wherein the MSISDN authentication token includes a QR code and/or a hyperlink operable by a user equipment to cause the user equipment to send the data packets to the one or more servers including the MSiSDN authentication token.
12. A method for use in authenticating a user of an enterprise service using a Mobile Station International Subscriber Directory Number (MSISDN) uniquely identifying the users subscription to a wireless cellular telecommunications network, the method comprising, in one or more servers: causing an MSiSDN registration token to be sent electronically to a user; receiving, from a user equipment of the user of the enterprise service via a wireless cellular telecommunications network, data packets including the MSISDN registration token, the data packets having been sent by the user equipment pursuant to an interaction in the user equipment with the MSiSDN registration token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include at least the user’s MSISDN; extracting the verified MSISDN from the enriched the header of the data packets; mapping the MSISDN to an identifier of a digital identity of the user in the enterprise service based on the token and the extracted MSISDN; and sending the authenticated MSiSDN to an enterprise service identity provider to allow registration of the MSiSDN as an authentication factor of the digital identity of the user of the enterprise service and an association between the MSiSDN and the identifier serving as the digital identity of the user.
13. A method for use in authenticating a user of an enterprise service using a Mobile Station International Subscriber Directory Number (MSiSDN) uniquely identifying the user’s subscription to a wireless cellular telecommunications network, optionally as claimed in claim 12, the method comprising, in one or more servers: receiving, from an enterprise service identity provider, an MSiSDN for authentication, the MSISDN for authentication being an MSISDN of a user of the enterprise service and serving as an authentication factor of the digital identity of the user of the enterprise service; causing an MSiSDN authentication token to be sent eiectronically to a user; receiving, from a responding user equipment, data packets including the MSiSDN authentication token, the data packets having been sent by the responding user equipment pursuant to an interaction in the responding user equipment with the SMS message, email or web frame including the MSISDN authentication token, the header of the data packets having been enriched by the wireless cellular telecommunications network to include an identification of the MSISDN associated with a subscription of the user of the responding user equipment to a wireless cellular telecommunications network; checking whether the MSiSDN associated with the subscription of the user of the responding user equipment to a wireless cellular telecommunications network authenticates by matching with the MSISDN for authentication; responding to the enterprise service identity provider with an indication of whether the MSISDN for authentication is authenticated,
14. Computer readable medium, optionally non-transitory, comprising instructions which when executed by one or more processors of one or more servers cause the one or more servers to be configured as claimed in the any of claims 1 to 11.
15. Apparatus substantiaily as hereinbefore described with reference to the accompanying drawings.
16. Computer readable medium substantially as hereinbefore described with reference to the accompanying drawings.
17. A method substantiaily as hereinbefore described with reference to the accompanying drawings.
GB1602468.9A 2016-02-11 2016-02-11 Apparatus, method and computer program product for use in authenticating a user Active GB2547231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1602468.9A GB2547231B (en) 2016-02-11 2016-02-11 Apparatus, method and computer program product for use in authenticating a user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1602468.9A GB2547231B (en) 2016-02-11 2016-02-11 Apparatus, method and computer program product for use in authenticating a user

Publications (3)

Publication Number Publication Date
GB201602468D0 GB201602468D0 (en) 2016-03-30
GB2547231A true GB2547231A (en) 2017-08-16
GB2547231B GB2547231B (en) 2021-02-03

Family

ID=55697557

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1602468.9A Active GB2547231B (en) 2016-02-11 2016-02-11 Apparatus, method and computer program product for use in authenticating a user

Country Status (1)

Country Link
GB (1) GB2547231B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2569784A (en) * 2017-12-19 2019-07-03 Goel Anil System and method of operating an email service for mobile telephone
WO2022003547A1 (en) * 2020-07-02 2022-01-06 Upstream Mobile Commerce Limited Fraud protection in subscription flows for mobile application services
GB2597665A (en) * 2020-07-24 2022-02-09 Metaswitch Networks Ltd Associating a user service with a telephony identifier

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014198745A1 (en) * 2013-06-12 2014-12-18 Telecom Italia S.P.A. Mobile device authentication in heterogeneous communication networks scenario

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014198745A1 (en) * 2013-06-12 2014-12-18 Telecom Italia S.P.A. Mobile device authentication in heterogeneous communication networks scenario

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2569784A (en) * 2017-12-19 2019-07-03 Goel Anil System and method of operating an email service for mobile telephone
GB2569784B (en) * 2017-12-19 2020-01-01 Goel Anil System and method of operating an email service for mobile telephones
WO2022003547A1 (en) * 2020-07-02 2022-01-06 Upstream Mobile Commerce Limited Fraud protection in subscription flows for mobile application services
GB2597665A (en) * 2020-07-24 2022-02-09 Metaswitch Networks Ltd Associating a user service with a telephony identifier
GB2597665B (en) * 2020-07-24 2022-08-10 Metaswitch Networks Ltd Associating a user service with a telephony identifier
US11729625B2 (en) * 2020-07-24 2023-08-15 Metaswitch Networks Ltd. Associating a user service with a telephony identifier

Also Published As

Publication number Publication date
GB2547231B (en) 2021-02-03
GB201602468D0 (en) 2016-03-30

Similar Documents

Publication Publication Date Title
US10063377B2 (en) Network-based authentication for third party content
EP3120591B1 (en) User identifier based device, identity and activity management system
US10237732B2 (en) Mobile device authentication in heterogeneous communication networks scenario
US8412156B2 (en) Managing automatic log in to internet target resources
CA2789495C (en) Seamless mobile subscriber identification
WO2014183526A1 (en) Identity recognition method, device and system
EP3162104B1 (en) A method to authenticate calls in a telecommunication system
CN105981345B (en) The Lawful intercept of WI-FI/ packet-based core networks access
US10390226B1 (en) Mobile identification method based on SIM card and device-related parameters
FI128171B (en) Network authentication
US9787678B2 (en) Multifactor authentication for mail server access
US20200187000A1 (en) Systems and methods for using gba for services used by multiple functions on the same device
TW201740703A (en) Carrier ePDG gateway access system and method for implementing mobile communications
GB2547231A (en) Apparatus, method and computer program product for use in authenticating a user
US8010642B2 (en) Apparatus for mediating in management orders
US10390215B2 (en) Method and system for authenticating users in public wireless networks
US20160183083A1 (en) User equipment and method for dynamic internet protocol multimedia subsystem (ims) registration
JP5670926B2 (en) Wireless LAN access point terminal access control system and authorization server device
US11968531B2 (en) Token, particularly OTP, based authentication system and method
EP4109945A1 (en) Token, particularly otp, based authentication system and method
JP7070860B2 (en) Wireless access point device and wireless communication method
EP3879866A1 (en) Method for establishing a secure connection for the internet of things
Ni An improved Java-based single sign-on solution
EP4169222A1 (en) Gateway server and method, and dns server
TR201513636A2 (en) A METHOD FOR AUTOMATIC ENTRY IN MOBILE APPLICATIONS AND A RELATED SYSTEM