US20140366128A1 - Adaptive authentication systems and methods - Google Patents

Adaptive authentication systems and methods Download PDF

Info

Publication number
US20140366128A1
US20140366128A1 US14/127,215 US201314127215A US2014366128A1 US 20140366128 A1 US20140366128 A1 US 20140366128A1 US 201314127215 A US201314127215 A US 201314127215A US 2014366128 A1 US2014366128 A1 US 2014366128A1
Authority
US
United States
Prior art keywords
security authentication
determining
communications device
authentication level
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/127,215
Inventor
Vinky P. Venkateswaran
Jason Martin
Gyan Prakash
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Vinky P. Venkateswaran
Jason Martin
Gyan Prakash
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vinky P. Venkateswaran, Jason Martin, Gyan Prakash filed Critical Vinky P. Venkateswaran
Publication of US20140366128A1 publication Critical patent/US20140366128A1/en
Assigned to INTEL CORPORATION reassignment INTEL CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PRAKASH, GYAN, MARTIN, JASON, VENKATESWARAN, Venky P.
Priority to US16/282,601 priority Critical patent/US10666635B2/en
Priority to US16/847,941 priority patent/US20200314079A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/65Environment-dependent, e.g. using captured environmental data

Definitions

  • An embodiment of the invention concerns security for mobile computing nodes.
  • Mobile computing nodes provide convenience to users by allowing the users to perform various tasks from a variety of locations.
  • Mobile computing nodes include, for example, cellular phones, smartphones, tablets, Ultrabooks®, notebooks, laptops, personal digital assistants, and mobile processor based platforms.
  • security protection for their devices.
  • the users that do use such security protection such as typing in long alphanumeric passwords before accessing their devices, are prompted for authentication many, many times per day. These repetitive prompts for authentication are intrusive to the user and limit the convenience of their mobile devices.
  • FIG. 1 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 2 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 3 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 4 includes a mobile computing node in an embodiment of the invention.
  • the phrase “embodiment” is used repeatedly. The phrase generally does not refer to the same embodiment; however, it may.
  • the terms “comprising,” “having,” and “including” are synonymous, unless the context dictates otherwise.
  • the phrase “A/B” means “A or B”.
  • the phrase “A and/or B” means “(A), (B), or (A and B)”.
  • the phrase “at least one of A, B and C” means “(A), (B), (C), (A and B), (A and C), (B and C) or (A, B and C)”.
  • An embodiment includes a mobile device that implements adaptive authentication.
  • the embodiment allows a user to authenticate himself or herself to the mobile device more easily in familiar environments than in unfamiliar environments. For example, a user may authenticate herself to her mobile device using voice recognition when the device senses the device is located in the a place regularly frequented by the user (e.g., the user's home), but the user may have to authenticate herself to her mobile device using an alphanumeric password when the device senses the device is located in a location not regularly frequented by the user (e.g., an airport).
  • An embodiment includes a mobile device that implements adaptive authentication. The embodiment allows a user to authenticate himself or herself to the mobile device more easily to see or access informal communications than for more formal communications.
  • a user may authenticate herself to her mobile device using fingerprint recognition when the device determines an informal communication has been received (e.g., a text from a sibling), but the user may have to authenticate herself to her mobile device using a alphanumeric password when the device senses a more formal communication has been received (e.g., a voice message from an unknown third party).
  • an informal communication e.g., a text from a sibling
  • a more formal communication e.g., a voice message from an unknown third party
  • An embodiment changes device authentication mechanisms from easy to hard and/or hard to easy based on, for example, the context for a situation. For example, an embodiment may change device authentication requirements based on data the device receives and the sensitivity of the data. Thus, an email received with a “top secret” flag or designation or an instant message received from a non-whitelisted party (e.g., party not previously listed in a whitelist stored in a memory coupled to the communications device) may require stronger authentications.
  • a non-whitelisted party e.g., party not previously listed in a whitelist stored in a memory coupled to the communications device
  • An embodiment allows a user to define a device authentication policy based on data sensitivity, device location, and/or other forms of device or communication context (also referred to as “environmental factor” or “environmental context” or “communication characteristic”). Such context may further include ambient noise.
  • the authentication policy may require authentication based on more than one contextual factor. For example, a user may receive a video chat session while he and his mobile device are in his home. The authentication policy may consider this context to satisfy a “safe zone” whereby no authentication is needed to view the session (because the user is in his home, which he previously designated a safe place). However, the mobile device may sense (or receive sensed information) a great deal of ambient noise near the phone.
  • Such noise may indicate a gathering is taking place (e.g., a party) such that the user is not necessarily alone.
  • the authentication policy may “override” the initial safe zone indication (based on the phone being located at the user's home) and instead require a heightened level of authentication.
  • This heightened level of authentication may include any level of authentication considering, in this example, the initial setting was to require no authentication because the phone was located at the user home.
  • a heightened authentication level (e.g., requiring a strict password such as a 9 character alphanumeric password) may be needed when the mobile communications device is not connected to a wireless communications network such as, for example, a 4G cellular network or a WiFi network.
  • a wireless communications network such as, for example, a 4G cellular network or a WiFi network.
  • the policy may determine that determining the user's location will be difficult because triangulation (via the wireless network) is not readily available (assuming the policy chooses not to rely on GPS location due to lack of location specificity or simply by choice). Without determining location, the policy may automatically dictate that the highest level of authentication is required.
  • One or more adaptive authentication embodiments may provide a user with a less cumbersome manner of securing his or her mobile device. This in turn encourages users to set higher authentication levels for accessing a device, which fosters secure computing. This may alleviate some concerns by enterprises or employers that worry an employee is using a single mobile device to process employer related information (which is sensitive) as well as person information (such as texts that may not be sensitive)—and deciding to treat all information (employer related and personal related) with low security to satisfy convenience wishes.
  • An embodiment concerns data sensitivity protection such that email received with a “Top Secret” designation, or messages received that are private and personal in nature, require stronger authentications.
  • An embodiment determines communication (e.g., email) sensitivity based on any one or more of an “importance” or “sensitivity” setting or flag for the communication, an email “security setting” (which may include a digital signature, digital certificate, encrypted information in the body of the communication, an encrypted attachment coupled to an email, and the like), the presence of a “voting button”, a request for a “delivery receipt” for a message, a request for a “read receipt” for a message, whether an attachment is coupled to the communication, a category for the communication (e.g., red, blue, green), the account the email came from (e.g., from a corporate email account (that may have been previously identified by a corporate IT department as being such) versus a personal email account that was not so identified), and the like.
  • communication e.g., email
  • security setting which may include a
  • An embodiment may compare the sender of the communication to a whitelist, blacklist, and the like.
  • an email address may be linked to a contact profile for a third party.
  • the user may whitelist a communication from a third party, such as the user's son or daughter, such that no authentication or little authentication (e.g., voice recognition) is needed to access the communication (e.g., email) from the whitelisted contact.
  • the user's boss may be blacklisted such that any communication from a computing node associated with the boss's contact profile (e.g., landline phone, mobile phone, desktop, email address, etc.) requires a higher level of authentication to view and/or access (e.g., reply to).
  • a computing node associated with the boss's contact profile e.g., landline phone, mobile phone, desktop, email address, etc.
  • access e.g., reply to
  • An embodiment may require stronger authentication based on the type of communication received. For example, all texts may require little to no authentication but all voice messages, Multimedia Messaging Service (MMS) communications, and near-field-communications (e.g., mobile device to mobile device communications via Bluetooth® protocol) may require heightened authentication.
  • MMS Multimedia Messaging Service
  • near-field-communications e.g., mobile device to mobile device communications via Bluetooth® protocol
  • an embodiment includes a mechanism for adaptive mobile device security based on device location and/or the nature of a communication received by the device.
  • An embodiment provides allows a user to set, for example, low, high and medium security level passwords instead of simply requiring no password or a single password for all instances.
  • An embodiment allows for mobile device authentication requirements that change based on the device's location instead of conventional devices with authentication requirements with no concern for the location of the device.
  • an embodiment includes mobile device authentication requirements that change based on data sensitivity, whether the message is private or personal, top secret or work related messages whereas conventional systems had no regard or less regard for such instances.
  • An embodiment of adaptive authentication modifies the device user's experience (e.g., switching between device authentication factors and/or changing settings such as the lock and screen timeout) via the definition of safe zone policies.
  • a safe zone policy is used to identify device use context in which, for example, device theft is less likely (e.g., a thief is unlikely to be using a stolen smartphone in the smartphone user's home whereas the proper owner of the smartphone is highly likely to use the smartphone in the user's home).
  • a safe zone policy may vary authentication level based on device context such that when the user is at her office, but is at a meeting where there is lots of ambient noise, the policy may still insist on heightened authentication.
  • a safe zone policy may vary authentication level based on device context such that when the user is at her office, but is at a meeting where another computing node is attempting near-field-communications (or short range endpoint to endpoint communications such as Bluetooth®) with the computing device, a high level password may be required.
  • a user may be in his employer's a conference room (a policy designated safe place) but may be near a third party that is visiting the employer. If the third party's computing node is attempting to communicate with the user's computing node (e.g., via Bluetooth® protocol or any other communications protocol), the policy may require a heightened security authorization.
  • the device simply detects the presence of another device (e.g., via a Bluetooth® signal) then the device's policy may require heightened security.
  • a user may be in her home (a policy designated safe place) but may be near a third party, such as a stereo system that is attempting Bluetooth® based communications with the user's mobile computing node.
  • the stereo system may be whitelisted and thereby allowed to communicate with the user's mobile communicating node without any authentication (or maybe simple facial recognition).
  • a user may determine a policy whereby the user sets the policy for low, high, medium or any other level.
  • a user can define face recognition as a medium authentication level, voice authentication as low authentication level, and a long alphanumeric password a high authentication level.
  • An embodiment may vary the measures to recover a password based on context. For example, a request for a lost password may require little authentication when the request is made in the user's home but may completely disallow such a request (or require a heightened authentication such as an iris scan) when the device is not located in the user's home or other predefined safe place.
  • FIG. 1 includes a schematic flow chart for method 100 in an embodiment of the invention.
  • a user begins or starts an adaptive authorization setup module (or may instead rely on “factory settings” or modifications thereof).
  • a user defines authentication mechanisms for different authentication levels. For example, for a low authentication level the user may choose no or little authentication (e.g., voice recognition with a low sensitivity or voice match threshold on a user defined variable threshold). For a medium authentication level the user may require iris and/or facial recognition. The user may require higher authentication (e.g., 12 character alphanumeric password) for a high authentication level.
  • the user correlates, defines, and otherwise links authentication levels to various contexts (e.g., environmental factors such as location or communication characteristics such as an email address associated with an email). For example, satisfaction of a location based safe zone (e.g., user's car, home, or workplace) may require only low level authentication. A high level authentication level may be reserved for all undefined situations that do not fit a lower level authentication criterion or criteria. An email marked urgent may require a medium level authentication and a MMS communication from a son or daughter may require low level authentication but a MMS communication from any other party may require high level authentication.
  • an adaptive authorization module may implement the policies by detecting context (e.g., location) and then required a corresponding authorization level.
  • the module may detect various contexts, some of which require low level authorization (e.g., user device is located in user's car) and some of which require high authorization (e.g., email from user's boss) and then demand the highest level authorization.
  • low level authorization e.g., user device is located in user's car
  • high authorization e.g., email from user's boss
  • the user then authenticates himself or herself in compliance with the adaptive authorization policy.
  • An embodiment utilizes various authorization policies including access to certain modules (e.g., accessing email may require greater authorization than accessing texts).
  • the policies may work in “reverse” as well.
  • an authorization policy may vary the lock timeout (e.g., time before an unlocked computing node locks itself due to lack of computing activity) based on context (e.g., whether device is in user's home, whether the user's device is located in his bedroom (lower authorization level) or in a family space like a living room (higher authorization level)). The same may be performed with a screen lockout (e.g., time before screen locks out).
  • FIG. 2 includes a schematic flow chart for method 200 in an embodiment of the invention.
  • Block 205 includes determining a first environmental factor for a mobile communications device.
  • an option in one embodiment includes determining the first environmental factor by determining a location of the mobile communications device.
  • the location of the device may be determined via triangulation from cellular network nodes (e.g., cellular phone towers), triangulation via WiFi nodes or “hotspots”, triangulation via radio frequency (RF) signal tracking, global positioning systems (GPS), proximity to Bluetooth® beacons, and the like.
  • RF radio frequency
  • GPS global positioning systems
  • Some embodiments may determine location partly or entirely based on altitude or atmospheric pressure.
  • Block 206 includes determining whether the location is included in a predetermined group of locations. Different embodiments have different granularity towards this issue. For example, an embodiment may simply want to determine whether the device is located in the United States of America or not located in United States of America, whether the device is located within a specific region of China, whether the device is located in a user's car (e.g., by determining the device is in Bluetooth® communication with the car), whether the device is located in the user's workplace or home, whether the device is located within the user's second floor bedroom or the user's first floor living room (e.g., based on altitude sensors, Bluetooth® beacon systems, and the like). Any of these locations may be included in a predetermined list of locations. That list may be configured by the user or possibly by the user's employer (allowing employer related materials to only be accessible in country X but never in country Y or any country other than country X).
  • Block 210 includes determining a first security authentication level based on the determined first environmental factor. For example, the device may determine a high security authentication level (which requires alphanumeric password entry) is needed because the determined device location is not included in the predetermined list of locations. A determination the device is in the user's bedroom may call for a low level of security (e.g., no authentication is required) whereas determination the device is in the user's kitchen may require a low level of authentication (e.g., voice recognition). In an embodiment a determination the phone is located in a community with an above average crime level may result in requiring higher levels of authentication.
  • a high security authentication level which requires alphanumeric password entry
  • a determination the device is in the user's bedroom may call for a low level of security (e.g., no authentication is required) whereas determination the device is in the user's kitchen may require a low level of authentication (e.g., voice recognition).
  • a determination the phone is located in a community with an above average crime level may result in requiring
  • Block 215 includes allowing access to a first module of the mobile communications device based on the first security authentication level. For example, if a high level of authentication was required via block 210 , block 215 may allow access to email based on satisfaction of the high level of authentication. Block 215 may allow access to a baseline of modules (e.g., access to music stored on the device) with no need for authorization but satisfaction of the high level of authentication if email is accessed.
  • a baseline of modules e.g., access to music stored on the device
  • Block 230 includes disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • the modules may be divided along lines such as business and personal. For example, one module may include access to business email accounts, business voice mail accounts, and documents stored in segregated memory reserved for business related documents and materials. Another module may include access to personal email accounts, personal voice mail accounts, and documents stored in segregated memory reserved for personal related documents and materials (or in generally available memory).
  • the difference between business and personal may be based on a number of factors, such as a “whitelist” of email addresses that shunt those emails to the business module and “graylist” of SMS addresses/numbers that shunt those messages to the personal module.
  • the business module may require higher authentication than the personal module.
  • the business module may ban access entirely if the user is not located within a certain location (e.g., the business module is inaccessible if the user is not located on a particular military base to decrease the opportunity for top secret communications to be viewed off the base).
  • a sandbox may include a security mechanism for separating running programs. It may be used to operate content, such as code, or access data on a business versus personal division.
  • the sandbox environment may provide a tightly-controlled set of resources for programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices may be disallowed or heavily restricted.
  • a sandbox may be implemented using virtualization technology. An application may even be executed on the cloud while in a sandboxed environment.
  • Block 220 includes determining a second security authentication level based on the determined first environmental factor.
  • Block 225 includes allowing access to a second module of the mobile communications device based on the second security authentication level.
  • Block 207 includes determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network.
  • determining the device is receiving periodic pings or messages from a cellular network may indicate the user's location can be identified and thus, a lower level of authentication may be required.
  • determining the communications device is communicatively coupled to a wireless communications network may also indicate a negative to the user's use policy. For example, in an embodiment recognition of such communication could be indicative of a risk the device is being snooped by other devices.
  • determining the first environmental factor includes determining whether the communications device has communicated a threshold level of data via the wireless communications network. Thus, an occasional ping from a cellular tower may not increase security levels.
  • a snooped device may be unwittingly communicating an amount of information that exceeds a threshold and thus require a higher security authentication level.
  • the same may be true for simple internet browsing.
  • certain networks may be whitelisted (e.g., a home network) whereas other networks are not whitelisted (e.g., a coffee shop network) and thus require higher security.
  • different communications e.g., cellular vs. WiFi
  • Blocks 235 , 240 include receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels.
  • a user may receive an email.
  • a characteristic for that email may include the email address (or some portion thereof like a domain portion that is recognized as the domain of the person's employer), a prioritization flag, a size of the email.
  • Characteristics of other communications may be the type of communication. For example, a SMS message may call for lower priority than voice messages or phone calls. SMS messages from certain phone numbers may require lower priority than other from other phone numbers.
  • Access to these communications may thus be based on multiple security levels such as one based on proximity of the device as well as another based on the characteristic of the communication.
  • the highest security level may win out. For example, if location dictates voice recognition is fine but the communication characteristic (e.g., the email is from a whitelist including that indicates the email is from the user's boss) dictates retinal scanning, then retinal scanning may be required for viewing the email.
  • Another embodiment may include receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • the first security level may completely determine the security level needed to access the communication.
  • Embodiments may rely on an environmental factor selected from one or more of the group comprising (a) location of the communication device, (b) whether the communications device is communicatively coupled to a wireless communications network, (c) time of day (e.g., requiring very high security at 2 a.m.), (d) audible noise sensed by the communications device (e.g., requiring very high security at a noisy transit station), and (e) altitude sensed by the communications device.
  • an environmental factor selected from one or more of the group comprising (a) location of the communication device, (b) whether the communications device is communicatively coupled to a wireless communications network, (c) time of day (e.g., requiring very high security at 2 a.m.), (d) audible noise sensed by the communications device (e.g., requiring very high security at a noisy transit station), and (e) altitude sensed by the communications device.
  • An embodiment may include determining the first security authentication level by selecting a first security authentication level but not selecting a second security authentication level or a third security level, the first, second, and third security authentication levels being included in a plurality of security authentication levels. Thus, there may be a plurality of levels to choose from rather than a simple scenario where either no security is needed or some security is needed.
  • the first security authentication level corresponds to a first authentication module
  • the second security authentication level corresponds to a second authentication module
  • the third security authentication level corresponds to a third authentication module
  • the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • FIG. 3 includes a method in an embodiment.
  • FIG. 3 shows that blocks 235 , 240 may exist separately from the rest of FIG. 2 (and FIG. 2 may exist separate from blocks 235 , 240 ).
  • Block 305 includes receiving a communication from a computing node.
  • Block 310 includes determining a first characteristic for the communication.
  • Block 315 includes determining a first security authentication level based on the determined first characteristic.
  • Block 320 includes allowing access to the communication based on the first characteristic and the first security authentication level.
  • Embodiments may be used in many different types of systems.
  • a communication device can be arranged to perform the various methods and techniques described herein.
  • the scope of the present invention is not limited to a communication device, and instead other embodiments can be directed to other types of apparatus for processing instructions.
  • Program instructions may be used to cause a general-purpose or special-purpose processing system that is programmed with the instructions to perform the operations described herein. Alternatively, the operations may be performed by specific hardware components that contain hardwired logic for performing the operations, or by any combination of programmed computer components and custom hardware components.
  • the methods described herein may be provided as (a) a computer program product that may include one or more machine readable media having stored thereon instructions that may be used to program a processing system or other electronic device to perform the methods or (b) at least one storage medium having instructions stored thereon for causing a system to perform the methods.
  • machine readable medium or “storage medium” used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein.
  • ROM read-only memory
  • PROM programmable ROM
  • EPROM erasable PROM
  • EEPROM electrically EPROM
  • CD-ROM compact disk ROM
  • DVD digital versatile disk
  • flash memory a magneto-optical disk,
  • a medium may include any mechanism for storing, transmitting, or receiving information in a form readable by a machine, and the medium may include medium through which the program code may pass, such as antennas, optical fibers, communications interfaces, etc.
  • Program code may be transmitted in the form of packets, serial data, parallel data, etc., and may be used in a compressed or encrypted format.
  • FIG. 4 shown is a block diagram of a system embodiment 1000 in accordance with an embodiment of the present invention. Shown is a multiprocessor system 1000 that includes a first processing element 1070 and a second processing element 1080 . While two processing elements 1070 and 1080 are shown, it is to be understood that an embodiment of system 1000 may also include only one such processing element.
  • System 1000 is illustrated as a point-to-point interconnect system, wherein the first processing element 1070 and second processing element 1080 are coupled via a point-to-point interconnect 1050 . It should be understood that any or all of the interconnects illustrated may be implemented as multi-drop bus rather than point-to-point interconnect.
  • each of processing elements 1070 and 1080 may be multicore processors, including first and second processor cores (i.e., processor cores 1074 a and 1074 b and processor cores 1084 a and 1084 b ).
  • processor cores 1074 , 1074 b , 1084 a , 1084 b may be configured to execute instruction code in a manner similar to methods discussed herein.
  • Each processing element 1070 , 1080 may include at least one shared cache.
  • the shared cache may store data (e.g., instructions) that are utilized by one or more components of the processor, such as the cores 1074 a , 1074 b and 1084 a , 1084 b , respectively.
  • the shared cache may locally cache data stored in a memory 1032 , 1034 for faster access by components of the processor.
  • the shared cache may include one or more mid-level caches, such as level 2 (L2), level 3 (L3), level 4 (L4), or other levels of cache, a last level cache (LLC), and/or combinations thereof.
  • LLC last level cache
  • processing elements 1070 , 1080 may be present in a given processor.
  • processing elements 1070 , 1080 may be an element other than a processor, such as an accelerator or a field programmable gate array.
  • additional processing element(s) may include additional processors(s) that are the same as a first processor 1070 , additional processor(s) that are heterogeneous or asymmetric to first processor 1070 , accelerators (such as, e.g., graphics accelerators or digital signal processing (DSP) units), field programmable gate arrays, or any other processing element.
  • accelerators such as, e.g., graphics accelerators or digital signal processing (DSP) units
  • DSP digital signal processing
  • processing elements 1070 , 1080 there can be a variety of differences between the processing elements 1070 , 1080 in terms of a spectrum of metrics of merit including architectural, microarchitectural, thermal, power consumption characteristics, and the like. These differences may effectively manifest themselves as asymmetry and heterogeneity amongst the processing elements 1070 , 1080 .
  • the various processing elements 1070 , 1080 may reside in the same die package.
  • First processing element 1070 may further include memory controller logic (MC) 1072 and point-to-point (P-P) interfaces 1076 and 1078 .
  • second processing element 1080 may include a MC 1082 and P-P interfaces 1086 and 1088 .
  • MC's 1072 and 1082 couple the processors to respective memories, namely a memory 1032 and a memory 1034 , which may be portions of main memory locally attached to the respective processors.
  • MC logic 1072 and 1082 is illustrated as integrated into the processing elements 1070 , 1080 , for alternative embodiments the MC logic may be discrete logic outside the processing elements 1070 , 1080 rather than integrated therein.
  • First processing element 1070 and second processing element 1080 may be coupled to an I/O subsystem 1090 via P-P interfaces 1076 , 1086 via P-P interconnects 1062 , 10104 , respectively.
  • I/O subsystem 1090 includes P-P interfaces 1094 and 1098 .
  • I/O subsystem 1090 includes an interface 1092 to couple I/O subsystem 1090 with a high performance graphics engine 1038 .
  • a bus may be used to couple graphics engine 1038 to I/O subsystem 1090 .
  • a point-to-point interconnect 1039 may couple these components.
  • I/O subsystem 1090 may be coupled to a first bus 10110 via an interface 1096 .
  • first bus 10110 may be a Peripheral Component Interconnect (PCI) bus, or a bus such as a PCI Express bus or another third generation I/O interconnect bus, although the scope of the present invention is not so limited.
  • PCI Peripheral Component Interconnect
  • various I/O devices 1014 , 1024 may be coupled to first bus 10110 , along with a bus bridge 1018 which may couple first bus 10110 to a second bus 1020 .
  • second bus 1020 may be a low pin count (LPC) bus.
  • Various devices may be coupled to second bus 1020 including, for example, a keyboard/mouse 1022 , communication device(s) 1026 (which may in turn be in communication with a computer network), and a data storage unit 1028 such as a disk drive or other mass storage device which may include code 1030 , in one embodiment.
  • the code 1030 may include instructions for performing embodiments of one or more of the methods described above.
  • an audio I/O 1024 may be coupled to second bus 1020 .
  • a system may implement a multi-drop bus or another such communication topology.
  • the elements of the Figure may alternatively be partitioned using more or fewer integrated chips than shown in the Figure.
  • a first example includes a method executed by at least one processor comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level.
  • Example 2 the subject matter of the Example 1 can optionally include disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • the subject matter of the Examples 1-2 can optionally include determining a second security authentication level based on the determined first environmental factor; and allowing access to a second module of the mobile communications device based on the second security authentication level.
  • the first environmental factor may include determining a location for the device is the user's bedroom.
  • the device may determine a first security authentication level (e.g., a low level needed to access photographs in a first module) and a second security level (e.g., a higher level needed to access emails in second module) are satisfied.
  • Example 4 the subject matter of the Examples 1-3 can optionally include determining the first environmental factor includes determining a location of the mobile communications device.
  • Example 5 the subject matter of the Examples 1-4 can optionally include determining whether the location is included in a predetermined group of locations.
  • the subject matter of the Examples 1-5 can optionally include determining the first environmental factor includes determining whether the communications device is communicatively coupled to a wireless communications network.
  • the subject matter of the examples 1-5 can optionally include determining the first environmental factor by detecting transmissions from another computing node.
  • Such transmissions may be RF transmissions.
  • the device detects an additional device nearby (e.g., by “snooping” transmissions for the additional device), it restricts access/heightens security authentication level(s). This does not necessarily mean that the additional device is “coupled” to the user's device, only that the user's device can “hear” the additional device.
  • RF technologies e.g., Bluetooth® and Wi-Fi
  • regularly emit transmissions to discover and/or maintain connections e.g., “discovery” transmissions).
  • Those transmissions are not part of any specific connection, but since they are wireless they can be observed by any device nearby (including the user's device). Hence the user's device can “listen” for those transmissions (e.g., such as these “discovery” transmissions) to identify devices nearby. Whether detection of such a device triggers a higher security level may depend on, in some embodiments, whether the detected device is recognized (e.g., included in a whitelist or the like). Such an embodiment may also listen to transmissions between an additional device and any other node (even without being able to identify the contents of the transmissions due to encryption). Thus, if the additional device is connected to Wi-Fi and the user's device detects this, then the policy may detect higher security. In an embodiment, a time threshold may be used such that the security level is determined based on whether the communication node has detected transmissions from another node in the previous X minutes (e.g., 1, 5, 10, 15 minutes).
  • determining the first environmental factor includes determining whether the communications device has communicated a threshold level of data via the wireless communications network of example 6.
  • the subject matter of the Examples 1-7 can optionally include receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels.
  • the subject matter of the Examples 1-8 can optionally include receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • the subject matter of the Examples 1-9 can optionally include wherein the first environmental factor is selected from one or more of the group comprising location of the communication device, whether the communications device is communicatively coupled to a wireless communications network, time of day, whether the communications device detects transmissions from another computing node, audible noise sensed by the communications device, and altitude sensed by the communications device.
  • the first environmental factor is selected from one or more of the group comprising location of the communication device, whether the communications device is communicatively coupled to a wireless communications network, time of day, whether the communications device detects transmissions from another computing node, audible noise sensed by the communications device, and altitude sensed by the communications device.
  • determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
  • the subject matter of the Examples 1-10 can optionally include determining a second environmental factor for the mobile communications device; and determining the first security authentication level based on the determined first and second environmental factors.
  • first and second factors may include device location and the detection of transmissions from another computing node.
  • the subject matter of the Examples 1-11 can optionally include wherein the first security authentication level corresponds to first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module; wherein the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • the biometric may include, without limitations, recognition of a user's vein or vessel pattern or characteristic, hand geometry, ocular blood vessels, gait, electrocardiogram, keyboard/mouse/touch/gesture dynamics, eye movements and the like.
  • Additional “password-like” mechanisms may include recognition of a user's picture password, drawable pattern, passphrase, and the like.
  • Additional “token-like” mechanisms may include, for example, a wearable companion device (e.g., watch, headset, head-mounted display, and the like), smartcard, SIM card, docking station or other peripherals, medical sensor device, and the like.
  • determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels; wherein the first security authentication level corresponds to first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module; wherein the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • PIN personal identification number
  • RFID radio frequency identification
  • Example 13 the subject matter of the Examples 1-12 can optionally include an apparatus comprising means for performing any one of claims 1 to 12 .
  • Example 14 the subject matter of the Examples 1-12 can optionally include at least one storage medium having instructions stored thereon for causing a system to carry out a method according to any one of claims 1 to 12 .
  • Example 15 includes a method executed by at least one processor comprising: receiving a communication from a computing node; determining a first characteristic for the communication; determining a first security authentication level based on the determined first characteristic; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • Example 16 the subject matter of the Example 15 can optionally include wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
  • the subject matter of the Example 15 can optionally include determining a second characteristic for the communication; and determining the first security authentication level based on the determined first and second characteristics.
  • the first characteristic may be the type of message (e.g., SMS text versus voice message) and the second characteristic may be the identity of the sender.
  • the second characteristic may be the identity of the sender.
  • the subject matter of the Examples 15-16 can optionally include determining a first environmental factor for a mobile communications device, the mobile computing device including the at least one processor; determining a second security authentication level based on the determined first environmental factor; and allowing access to the communication based on the first and second security authentication levels.
  • Example 18 the subject matter of the Examples 15-17 can optionally include allowing access to a first module of the mobile communications device based on the second security authentication level and disallowing access to a second module of the mobile communications device based on the second security authentication level.
  • determining the first environmental factor includes determining a location of the mobile communications device, the method further comprising determining whether the location is included in a predetermined group of locations.
  • determining the first environmental factor includes determining whether the communications device is communicatively coupled to a wireless communications network.
  • Example 21 the subject matter of the Examples 15-20 can optionally include at least one storage medium having instructions stored thereon for causing a system to carry out a method according to any one of claims 15 to 20 .
  • Example 22 includes an apparatus comprising: at least one memory and at least one processor, coupled to the at least one memory, to perform operations comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level.
  • Example 23 the subject matter of the Example 22 can optionally include wherein the at least one processor is to perform operations comprising disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • Example 23 the subject matter of the Example 22 can optionally include determining a second environmental factor for the mobile communications device; and determining the first security authentication level based on the determined first and second environmental factors.
  • determining the first environmental factor includes determining a location of the mobile communications device and the at least one processor is to perform operations comprising determining whether the location is included in a predetermined group of locations.
  • the subject matter of the Examples 22-24 can optionally include wherein the at least one processor is to perform operations comprising: receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels.
  • the subject matter of the Examples 22-25 can optionally include wherein the at least one processor is to perform operations comprising: receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • An embodiment includes a processing system comprising: means for determining a first environmental factor for a mobile communications device; means for determining a first security authentication level based on the determined first environmental factor; and means for allowing access to a first module of the mobile communications device based on the first security authentication level.
  • An embodiment includes means for disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • An embodiment includes means for determining a second security authentication level based on the determined first environmental factor; and allowing access to a second module of the mobile communications device based on the second security authentication level.
  • An embodiment includes means for determining the first environmental factor by determining a location of the mobile communications device.
  • An embodiment includes means for determining whether the location is included in a predetermined group of locations.
  • An embodiment includes means for determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network. An embodiment includes means for determining the first environmental factor by determining whether the communications device has communicated a threshold level of data via the wireless communications network. An embodiment includes means for receiving a communication from an additional computing node; means for determining a first characteristic for the communication; means for determining a second security authentication level based on the determined first characteristic; and means for allowing access to the communication based on the first and second security authentication levels. An embodiment includes means for receiving a communication from an additional computing node; means for determining a first characteristic for the communication; and means for allowing access to the communication based on the first characteristic and the first security authentication level.
  • An embodiment includes a processing system comprising: means for receiving a communication from a computing node; means for determining a first characteristic for the communication; means for determining a first security authentication level based on the determined first characteristic; and means for allowing access to the communication based on the first characteristic and the first security authentication level.
  • An embodiment includes means for determining the first security authentication level by selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
  • An embodiment includes means for determining a first environmental factor for a mobile communications device, the mobile computing device including the at least one processor; means for determining a second security authentication level based on the determined first environmental factor; and means for allowing access to the communication based on the first and second security authentication levels.
  • An embodiment includes means for allowing access to a first module of the mobile communications device based on the second security authentication level and disallowing access to a second module of the mobile communications device based on the second security authentication level.
  • An embodiment includes means for determining the first environmental factor by determining a location of the mobile communications device, the method further comprising determining whether the location is included in a predetermined group of locations.
  • An embodiment includes means for determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network.

Abstract

An embodiment includes a method executed by at least one processor comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level. Other embodiments are described herein.

Description

    TECHNICAL FIELD
  • An embodiment of the invention concerns security for mobile computing nodes.
    • BACKGROUND
  • Mobile computing nodes provide convenience to users by allowing the users to perform various tasks from a variety of locations. Mobile computing nodes include, for example, cellular phones, smartphones, tablets, Ultrabooks®, notebooks, laptops, personal digital assistants, and mobile processor based platforms. However, to achieve convenience many users use no or very limited security protection for their devices. The users that do use such security protection, such as typing in long alphanumeric passwords before accessing their devices, are prompted for authentication many, many times per day. These repetitive prompts for authentication are intrusive to the user and limit the convenience of their mobile devices.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Embodiments of the present invention will be described by way of exemplary embodiments, but not limitations, illustrated in the accompanying drawings in which like references denote similar elements, and in which:
  • FIG. 1 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 2 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 3 includes a schematic flow chart for an embodiment of the invention.
  • FIG. 4 includes a mobile computing node in an embodiment of the invention.
    •  DETAILED DESCRIPTION
  • Various operations will be described as multiple discrete operations, in turn, in a manner that is most helpful in understanding the illustrative embodiments; however, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations need not be performed in the order of presentation. Further, descriptions of operations as separate operations should not be construed as requiring that the operations be necessarily performed independently and/or by separate entities. Descriptions of entities and/or modules as separate modules should likewise not be construed as requiring that the modules be separate and/or perform separate operations. In various embodiments, illustrated and/or described operations, entities, data, and/or modules may be merged, broken into further sub-parts, and/or omitted. The phrase “embodiment” is used repeatedly. The phrase generally does not refer to the same embodiment; however, it may. The terms “comprising,” “having,” and “including” are synonymous, unless the context dictates otherwise. The phrase “A/B” means “A or B”. The phrase “A and/or B” means “(A), (B), or (A and B)”. The phrase “at least one of A, B and C” means “(A), (B), (C), (A and B), (A and C), (B and C) or (A, B and C)”.
  • Many users use their mobile devices in “familiar” places where the user repetitively uses the device. Such places include, for example, the user's home, workplace, automobile, and the like. An embodiment includes a mobile device that implements adaptive authentication. The embodiment allows a user to authenticate himself or herself to the mobile device more easily in familiar environments than in unfamiliar environments. For example, a user may authenticate herself to her mobile device using voice recognition when the device senses the device is located in the a place regularly frequented by the user (e.g., the user's home), but the user may have to authenticate herself to her mobile device using an alphanumeric password when the device senses the device is located in a location not regularly frequented by the user (e.g., an airport). This fosters security compliance by balancing security and convenience because users will be more likely to use adequate security (e.g., complex passwords) if they are not forced to constantly have to comply with such measures (e.g., entering long passwords), even in low risk situations like sitting in their home or office. Other embodiments are described herein.
  • Many users use their mobile devices to receive communications that are more sensitive or formal than other communications. For example, an email from a co-worker may be deemed highly formal, whereas a short message service (SMS) text from a son or daughter may be deemed informal. An embodiment includes a mobile device that implements adaptive authentication. The embodiment allows a user to authenticate himself or herself to the mobile device more easily to see or access informal communications than for more formal communications. For example, a user may authenticate herself to her mobile device using fingerprint recognition when the device determines an informal communication has been received (e.g., a text from a sibling), but the user may have to authenticate herself to her mobile device using a alphanumeric password when the device senses a more formal communication has been received (e.g., a voice message from an unknown third party). Other embodiments are described herein.
  • The above examples are used for illustrative purposes and other embodiments are described herein. A more general discussion now follows.
  • An embodiment changes device authentication mechanisms from easy to hard and/or hard to easy based on, for example, the context for a situation. For example, an embodiment may change device authentication requirements based on data the device receives and the sensitivity of the data. Thus, an email received with a “top secret” flag or designation or an instant message received from a non-whitelisted party (e.g., party not previously listed in a whitelist stored in a memory coupled to the communications device) may require stronger authentications.
  • An embodiment allows a user to define a device authentication policy based on data sensitivity, device location, and/or other forms of device or communication context (also referred to as “environmental factor” or “environmental context” or “communication characteristic”). Such context may further include ambient noise. The authentication policy may require authentication based on more than one contextual factor. For example, a user may receive a video chat session while he and his mobile device are in his home. The authentication policy may consider this context to satisfy a “safe zone” whereby no authentication is needed to view the session (because the user is in his home, which he previously designated a safe place). However, the mobile device may sense (or receive sensed information) a great deal of ambient noise near the phone. Such noise may indicate a gathering is taking place (e.g., a party) such that the user is not necessarily alone. In such a case, the authentication policy may “override” the initial safe zone indication (based on the phone being located at the user's home) and instead require a heightened level of authentication. This heightened level of authentication may include any level of authentication considering, in this example, the initial setting was to require no authentication because the phone was located at the user home.
  • In an embodiment, a heightened authentication level (e.g., requiring a strict password such as a 9 character alphanumeric password) may be needed when the mobile communications device is not connected to a wireless communications network such as, for example, a 4G cellular network or a WiFi network. In such a case the policy may determine that determining the user's location will be difficult because triangulation (via the wireless network) is not readily available (assuming the policy chooses not to rely on GPS location due to lack of location specificity or simply by choice). Without determining location, the policy may automatically dictate that the highest level of authentication is required.
  • Use of one or more adaptive authentication embodiments may provide a user with a less cumbersome manner of securing his or her mobile device. This in turn encourages users to set higher authentication levels for accessing a device, which fosters secure computing. This may alleviate some concerns by enterprises or employers that worry an employee is using a single mobile device to process employer related information (which is sensitive) as well as person information (such as texts that may not be sensitive)—and deciding to treat all information (employer related and personal related) with low security to satisfy convenience wishes.
  • An embodiment concerns data sensitivity protection such that email received with a “Top Secret” designation, or messages received that are private and personal in nature, require stronger authentications. An embodiment determines communication (e.g., email) sensitivity based on any one or more of an “importance” or “sensitivity” setting or flag for the communication, an email “security setting” (which may include a digital signature, digital certificate, encrypted information in the body of the communication, an encrypted attachment coupled to an email, and the like), the presence of a “voting button”, a request for a “delivery receipt” for a message, a request for a “read receipt” for a message, whether an attachment is coupled to the communication, a category for the communication (e.g., red, blue, green), the account the email came from (e.g., from a corporate email account (that may have been previously identified by a corporate IT department as being such) versus a personal email account that was not so identified), and the like. Many of the above flags or designations may be associated with a communications module, such as Microsoft Outlook®. An embodiment may compare the sender of the communication to a whitelist, blacklist, and the like. For example, an email address may be linked to a contact profile for a third party. The user may whitelist a communication from a third party, such as the user's son or daughter, such that no authentication or little authentication (e.g., voice recognition) is needed to access the communication (e.g., email) from the whitelisted contact. However, the user's boss may be blacklisted such that any communication from a computing node associated with the boss's contact profile (e.g., landline phone, mobile phone, desktop, email address, etc.) requires a higher level of authentication to view and/or access (e.g., reply to).
  • An embodiment may require stronger authentication based on the type of communication received. For example, all texts may require little to no authentication but all voice messages, Multimedia Messaging Service (MMS) communications, and near-field-communications (e.g., mobile device to mobile device communications via Bluetooth® protocol) may require heightened authentication.
  • Thus, an embodiment includes a mechanism for adaptive mobile device security based on device location and/or the nature of a communication received by the device. An embodiment provides allows a user to set, for example, low, high and medium security level passwords instead of simply requiring no password or a single password for all instances. An embodiment allows for mobile device authentication requirements that change based on the device's location instead of conventional devices with authentication requirements with no concern for the location of the device. Further, an embodiment includes mobile device authentication requirements that change based on data sensitivity, whether the message is private or personal, top secret or work related messages whereas conventional systems had no regard or less regard for such instances.
  • An embodiment of adaptive authentication modifies the device user's experience (e.g., switching between device authentication factors and/or changing settings such as the lock and screen timeout) via the definition of safe zone policies. A safe zone policy is used to identify device use context in which, for example, device theft is less likely (e.g., a thief is unlikely to be using a stolen smartphone in the smartphone user's home whereas the proper owner of the smartphone is highly likely to use the smartphone in the user's home).
  • A safe zone policy may vary authentication level based on device context such that when the user is at her office, but is at a meeting where there is lots of ambient noise, the policy may still insist on heightened authentication.
  • A safe zone policy may vary authentication level based on device context such that when the user is at her office, but is at a meeting where another computing node is attempting near-field-communications (or short range endpoint to endpoint communications such as Bluetooth®) with the computing device, a high level password may be required. Thus, a user may be in his employer's a conference room (a policy designated safe place) but may be near a third party that is visiting the employer. If the third party's computing node is attempting to communicate with the user's computing node (e.g., via Bluetooth® protocol or any other communications protocol), the policy may require a heightened security authorization. Furthermore, in some embodiments this should not imply the device (the user's device and/or the third party's device) is intending to communicate with the other device. For example, if the user's device simply detects the presence of another device (e.g., via a Bluetooth® signal) then the device's policy may require heightened security. However, a user may be in her home (a policy designated safe place) but may be near a third party, such as a stereo system that is attempting Bluetooth® based communications with the user's mobile computing node. The stereo system may be whitelisted and thereby allowed to communicate with the user's mobile communicating node without any authentication (or maybe simple facial recognition).
  • A user may determine a policy whereby the user sets the policy for low, high, medium or any other level. A user can define face recognition as a medium authentication level, voice authentication as low authentication level, and a long alphanumeric password a high authentication level.
  • An embodiment may vary the measures to recover a password based on context. For example, a request for a lost password may require little authentication when the request is made in the user's home but may completely disallow such a request (or require a heightened authentication such as an iris scan) when the device is not located in the user's home or other predefined safe place.
  • FIG. 1 includes a schematic flow chart for method 100 in an embodiment of the invention. In block 105 a user begins or starts an adaptive authorization setup module (or may instead rely on “factory settings” or modifications thereof). In block 110 a user defines authentication mechanisms for different authentication levels. For example, for a low authentication level the user may choose no or little authentication (e.g., voice recognition with a low sensitivity or voice match threshold on a user defined variable threshold). For a medium authentication level the user may require iris and/or facial recognition. The user may require higher authentication (e.g., 12 character alphanumeric password) for a high authentication level. In block 115 the user correlates, defines, and otherwise links authentication levels to various contexts (e.g., environmental factors such as location or communication characteristics such as an email address associated with an email). For example, satisfaction of a location based safe zone (e.g., user's car, home, or workplace) may require only low level authentication. A high level authentication level may be reserved for all undefined situations that do not fit a lower level authentication criterion or criteria. An email marked urgent may require a medium level authentication and a MMS communication from a son or daughter may require low level authentication but a MMS communication from any other party may require high level authentication. In block 120 (after adaptive authorization is completed) an adaptive authorization module may implement the policies by detecting context (e.g., location) and then required a corresponding authorization level. The module may detect various contexts, some of which require low level authorization (e.g., user device is located in user's car) and some of which require high authorization (e.g., email from user's boss) and then demand the highest level authorization. In block 125 the user then authenticates himself or herself in compliance with the adaptive authorization policy.
  • An embodiment utilizes various authorization policies including access to certain modules (e.g., accessing email may require greater authorization than accessing texts). The policies may work in “reverse” as well. For example, an authorization policy may vary the lock timeout (e.g., time before an unlocked computing node locks itself due to lack of computing activity) based on context (e.g., whether device is in user's home, whether the user's device is located in his bedroom (lower authorization level) or in a family space like a living room (higher authorization level)). The same may be performed with a screen lockout (e.g., time before screen locks out).
  • FIG. 2 includes a schematic flow chart for method 200 in an embodiment of the invention.
  • Block 205 includes determining a first environmental factor for a mobile communications device. Different embodiments handle this in different ways. For example, an option (an optional path being designated with dashed lines) in one embodiment includes determining the first environmental factor by determining a location of the mobile communications device. For example, the location of the device may be determined via triangulation from cellular network nodes (e.g., cellular phone towers), triangulation via WiFi nodes or “hotspots”, triangulation via radio frequency (RF) signal tracking, global positioning systems (GPS), proximity to Bluetooth® beacons, and the like. Some embodiments may determine location partly or entirely based on altitude or atmospheric pressure.
  • Block 206 includes determining whether the location is included in a predetermined group of locations. Different embodiments have different granularity towards this issue. For example, an embodiment may simply want to determine whether the device is located in the United States of America or not located in United States of America, whether the device is located within a specific region of China, whether the device is located in a user's car (e.g., by determining the device is in Bluetooth® communication with the car), whether the device is located in the user's workplace or home, whether the device is located within the user's second floor bedroom or the user's first floor living room (e.g., based on altitude sensors, Bluetooth® beacon systems, and the like). Any of these locations may be included in a predetermined list of locations. That list may be configured by the user or possibly by the user's employer (allowing employer related materials to only be accessible in country X but never in country Y or any country other than country X).
  • Block 210 includes determining a first security authentication level based on the determined first environmental factor. For example, the device may determine a high security authentication level (which requires alphanumeric password entry) is needed because the determined device location is not included in the predetermined list of locations. A determination the device is in the user's bedroom may call for a low level of security (e.g., no authentication is required) whereas determination the device is in the user's kitchen may require a low level of authentication (e.g., voice recognition). In an embodiment a determination the phone is located in a community with an above average crime level may result in requiring higher levels of authentication.
  • Block 215 includes allowing access to a first module of the mobile communications device based on the first security authentication level. For example, if a high level of authentication was required via block 210, block 215 may allow access to email based on satisfaction of the high level of authentication. Block 215 may allow access to a baseline of modules (e.g., access to music stored on the device) with no need for authorization but satisfaction of the high level of authentication if email is accessed.
  • Block 230 includes disallowing access to a second module of the mobile communications device based on the first security authentication level. Thus, if the first security authentication level is moderate then access to SMS messages may be allowed but no access to email is allowed. In an embodiment the modules may be divided along lines such as business and personal. For example, one module may include access to business email accounts, business voice mail accounts, and documents stored in segregated memory reserved for business related documents and materials. Another module may include access to personal email accounts, personal voice mail accounts, and documents stored in segregated memory reserved for personal related documents and materials (or in generally available memory). The difference between business and personal may be based on a number of factors, such as a “whitelist” of email addresses that shunt those emails to the business module and “graylist” of SMS addresses/numbers that shunt those messages to the personal module. The business module may require higher authentication than the personal module. The business module may ban access entirely if the user is not located within a certain location (e.g., the business module is inaccessible if the user is not located on a particular military base to decrease the opportunity for top secret communications to be viewed off the base).
  • The division between modules may be enforced using a number of technologies such as, for example, a secure mode such as with a secure sandbox format. For example, a sandbox may include a security mechanism for separating running programs. It may be used to operate content, such as code, or access data on a business versus personal division. The sandbox environment may provide a tightly-controlled set of resources for programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices may be disallowed or heavily restricted. A sandbox may be implemented using virtualization technology. An application may even be executed on the cloud while in a sandboxed environment.
  • Block 220 includes determining a second security authentication level based on the determined first environmental factor. Block 225 includes allowing access to a second module of the mobile communications device based on the second security authentication level. Thus, determining a user is in her home may result in requiring voice recognition to access email and alphanumeric passwords to access attachments to the email. Access to the attachment via voice recognition is not allowed. Access to documents stored in a sandboxed environment may not be allowed at all due to the user being located at her home and not at her office or because she is located in country X which is included in a blacklist of countries.
  • Block 207 includes determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network. Thus, determining the device is receiving periodic pings or messages from a cellular network may indicate the user's location can be identified and thus, a lower level of authentication may be required. However, determining the communications device is communicatively coupled to a wireless communications network may also indicate a negative to the user's use policy. For example, in an embodiment recognition of such communication could be indicative of a risk the device is being snooped by other devices. In an embodiment, determining the first environmental factor includes determining whether the communications device has communicated a threshold level of data via the wireless communications network. Thus, an occasional ping from a cellular tower may not increase security levels. The same is true for an occasional Bluetooth® communication. However, a snooped device may be unwittingly communicating an amount of information that exceeds a threshold and thus require a higher security authentication level. The same may be true for simple internet browsing. However, in some embodiments certain networks may be whitelisted (e.g., a home network) whereas other networks are not whitelisted (e.g., a coffee shop network) and thus require higher security. Furthermore, different communications (e.g., cellular vs. WiFi) may require different security levels.
  • Blocks 235, 240 include receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels. Thus, in an embodiment a user may receive an email. A characteristic for that email may include the email address (or some portion thereof like a domain portion that is recognized as the domain of the person's employer), a prioritization flag, a size of the email. Characteristics of other communications may be the type of communication. For example, a SMS message may call for lower priority than voice messages or phone calls. SMS messages from certain phone numbers may require lower priority than other from other phone numbers. Access to these communications may thus be based on multiple security levels such as one based on proximity of the device as well as another based on the characteristic of the communication. In an embodiment the highest security level may win out. For example, if location dictates voice recognition is fine but the communication characteristic (e.g., the email is from a whitelist including that indicates the email is from the user's boss) dictates retinal scanning, then retinal scanning may be required for viewing the email.
  • Another embodiment (in addition to or instead the subject matter of blocks 235, 240) may include receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level. In this situation the first security level may completely determine the security level needed to access the communication.
  • Embodiments may rely on an environmental factor selected from one or more of the group comprising (a) location of the communication device, (b) whether the communications device is communicatively coupled to a wireless communications network, (c) time of day (e.g., requiring very high security at 2 a.m.), (d) audible noise sensed by the communications device (e.g., requiring very high security at a noisy transit station), and (e) altitude sensed by the communications device.
  • An embodiment may include determining the first security authentication level by selecting a first security authentication level but not selecting a second security authentication level or a third security level, the first, second, and third security authentication levels being included in a plurality of security authentication levels. Thus, there may be a plurality of levels to choose from rather than a simple scenario where either no security is needed or some security is needed.
  • In such an embodiment the first security authentication level corresponds to a first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module; wherein the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • FIG. 3 includes a method in an embodiment. FIG. 3 shows that blocks 235, 240 may exist separately from the rest of FIG. 2 (and FIG. 2 may exist separate from blocks 235, 240). Block 305 includes receiving a communication from a computing node. Block 310 includes determining a first characteristic for the communication. Block 315 includes determining a first security authentication level based on the determined first characteristic. Block 320 includes allowing access to the communication based on the first characteristic and the first security authentication level.
  • Embodiments may be used in many different types of systems. For example, in one embodiment a communication device can be arranged to perform the various methods and techniques described herein. Of course, the scope of the present invention is not limited to a communication device, and instead other embodiments can be directed to other types of apparatus for processing instructions.
  • Program instructions may be used to cause a general-purpose or special-purpose processing system that is programmed with the instructions to perform the operations described herein. Alternatively, the operations may be performed by specific hardware components that contain hardwired logic for performing the operations, or by any combination of programmed computer components and custom hardware components. The methods described herein may be provided as (a) a computer program product that may include one or more machine readable media having stored thereon instructions that may be used to program a processing system or other electronic device to perform the methods or (b) at least one storage medium having instructions stored thereon for causing a system to perform the methods. The term “machine readable medium” or “storage medium” used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein. The term “machine readable medium” or “storage medium” shall accordingly include, but not be limited to, memories such as solid-state memories, optical and magnetic disks, read-only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), electrically EPROM (EEPROM), a disk drive, a floppy disk, a compact disk ROM (CD-ROM), a digital versatile disk (DVD), flash memory, a magneto-optical disk, as well as more exotic mediums such as machine-accessible biological state preserving storage. A medium may include any mechanism for storing, transmitting, or receiving information in a form readable by a machine, and the medium may include medium through which the program code may pass, such as antennas, optical fibers, communications interfaces, etc. Program code may be transmitted in the form of packets, serial data, parallel data, etc., and may be used in a compressed or encrypted format. Furthermore, it is common in the art to speak of software, in one form or another (e.g., program, procedure, process, application, module, logic, and so on) as taking an action or causing a result. Such expressions are merely a shorthand way of stating that the execution of the software by a processing system causes the processor to perform an action or produce a result.
  • Referring now to FIG. 4, shown is a block diagram of a system embodiment 1000 in accordance with an embodiment of the present invention. Shown is a multiprocessor system 1000 that includes a first processing element 1070 and a second processing element 1080. While two processing elements 1070 and 1080 are shown, it is to be understood that an embodiment of system 1000 may also include only one such processing element. System 1000 is illustrated as a point-to-point interconnect system, wherein the first processing element 1070 and second processing element 1080 are coupled via a point-to-point interconnect 1050. It should be understood that any or all of the interconnects illustrated may be implemented as multi-drop bus rather than point-to-point interconnect. As shown, each of processing elements 1070 and 1080 may be multicore processors, including first and second processor cores (i.e., processor cores 1074 a and 1074 b and processor cores 1084 a and 1084 b). Such cores 1074, 1074 b, 1084 a, 1084 b may be configured to execute instruction code in a manner similar to methods discussed herein.
  • Each processing element 1070, 1080 may include at least one shared cache. The shared cache may store data (e.g., instructions) that are utilized by one or more components of the processor, such as the cores 1074 a, 1074 b and 1084 a, 1084 b, respectively. For example, the shared cache may locally cache data stored in a memory 1032, 1034 for faster access by components of the processor. In one or more embodiments, the shared cache may include one or more mid-level caches, such as level 2 (L2), level 3 (L3), level 4 (L4), or other levels of cache, a last level cache (LLC), and/or combinations thereof.
  • While shown with only two processing elements 1070, 1080, it is to be understood that the scope of the present invention is not so limited. In other embodiments, one or more additional processing elements may be present in a given processor. Alternatively, one or more of processing elements 1070, 1080 may be an element other than a processor, such as an accelerator or a field programmable gate array. For example, additional processing element(s) may include additional processors(s) that are the same as a first processor 1070, additional processor(s) that are heterogeneous or asymmetric to first processor 1070, accelerators (such as, e.g., graphics accelerators or digital signal processing (DSP) units), field programmable gate arrays, or any other processing element. There can be a variety of differences between the processing elements 1070, 1080 in terms of a spectrum of metrics of merit including architectural, microarchitectural, thermal, power consumption characteristics, and the like. These differences may effectively manifest themselves as asymmetry and heterogeneity amongst the processing elements 1070, 1080. For at least one embodiment, the various processing elements 1070, 1080 may reside in the same die package.
  • First processing element 1070 may further include memory controller logic (MC) 1072 and point-to-point (P-P) interfaces 1076 and 1078. Similarly, second processing element 1080 may include a MC 1082 and P-P interfaces 1086 and 1088. As shown in FIG. 10, MC's 1072 and 1082 couple the processors to respective memories, namely a memory 1032 and a memory 1034, which may be portions of main memory locally attached to the respective processors. While MC logic 1072 and 1082 is illustrated as integrated into the processing elements 1070, 1080, for alternative embodiments the MC logic may be discrete logic outside the processing elements 1070, 1080 rather than integrated therein.
  • First processing element 1070 and second processing element 1080 may be coupled to an I/O subsystem 1090 via P-P interfaces 1076, 1086 via P-P interconnects 1062, 10104, respectively. As shown, I/O subsystem 1090 includes P-P interfaces 1094 and 1098. Furthermore, I/O subsystem 1090 includes an interface 1092 to couple I/O subsystem 1090 with a high performance graphics engine 1038. In one embodiment, a bus may be used to couple graphics engine 1038 to I/O subsystem 1090. Alternately, a point-to-point interconnect 1039 may couple these components.
  • In turn, I/O subsystem 1090 may be coupled to a first bus 10110 via an interface 1096. In one embodiment, first bus 10110 may be a Peripheral Component Interconnect (PCI) bus, or a bus such as a PCI Express bus or another third generation I/O interconnect bus, although the scope of the present invention is not so limited.
  • As shown, various I/ O devices 1014, 1024 may be coupled to first bus 10110, along with a bus bridge 1018 which may couple first bus 10110 to a second bus 1020. In one embodiment, second bus 1020 may be a low pin count (LPC) bus. Various devices may be coupled to second bus 1020 including, for example, a keyboard/mouse 1022, communication device(s) 1026 (which may in turn be in communication with a computer network), and a data storage unit 1028 such as a disk drive or other mass storage device which may include code 1030, in one embodiment. The code 1030 may include instructions for performing embodiments of one or more of the methods described above. Further, an audio I/O 1024 may be coupled to second bus 1020.
  • Note that other embodiments are contemplated. For example, instead of the point-to-point architecture shown, a system may implement a multi-drop bus or another such communication topology. Also, the elements of the Figure may alternatively be partitioned using more or fewer integrated chips than shown in the Figure.
  • A first example includes a method executed by at least one processor comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level.
  • In example 2 the subject matter of the Example 1 can optionally include disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • In example 3 the subject matter of the Examples 1-2 can optionally include determining a second security authentication level based on the determined first environmental factor; and allowing access to a second module of the mobile communications device based on the second security authentication level. For example, the first environmental factor may include determining a location for the device is the user's bedroom. As a result, the device may determine a first security authentication level (e.g., a low level needed to access photographs in a first module) and a second security level (e.g., a higher level needed to access emails in second module) are satisfied.
  • In example 4 the subject matter of the Examples 1-3 can optionally include determining the first environmental factor includes determining a location of the mobile communications device.
  • In example 5 the subject matter of the Examples 1-4 can optionally include determining whether the location is included in a predetermined group of locations.
  • In example 6 the subject matter of the Examples 1-5 can optionally include determining the first environmental factor includes determining whether the communications device is communicatively coupled to a wireless communications network.
  • In another embodiment of example 6 the subject matter of the examples 1-5 can optionally include determining the first environmental factor by detecting transmissions from another computing node. Such transmissions may be RF transmissions. For example, in one embodiment if the device detects an additional device nearby (e.g., by “snooping” transmissions for the additional device), it restricts access/heightens security authentication level(s). This does not necessarily mean that the additional device is “coupled” to the user's device, only that the user's device can “hear” the additional device. For example, RF technologies (e.g., Bluetooth® and Wi-Fi) regularly emit transmissions to discover and/or maintain connections (e.g., “discovery” transmissions). Those transmissions are not part of any specific connection, but since they are wireless they can be observed by any device nearby (including the user's device). Hence the user's device can “listen” for those transmissions (e.g., such as these “discovery” transmissions) to identify devices nearby. Whether detection of such a device triggers a higher security level may depend on, in some embodiments, whether the detected device is recognized (e.g., included in a whitelist or the like). Such an embodiment may also listen to transmissions between an additional device and any other node (even without being able to identify the contents of the transmissions due to encryption). Thus, if the additional device is connected to Wi-Fi and the user's device detects this, then the policy may detect higher security. In an embodiment, a time threshold may be used such that the security level is determined based on whether the communication node has detected transmissions from another node in the previous X minutes (e.g., 1, 5, 10, 15 minutes).
  • In example 7 the subject matter of the Examples 1-6 can optionally include wherein determining the first environmental factor includes determining whether the communications device has communicated a threshold level of data via the wireless communications network of example 6.
  • In example 8 the subject matter of the Examples 1-7 can optionally include receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels.
  • In example 9 the subject matter of the Examples 1-8 can optionally include receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • In example 10 the subject matter of the Examples 1-9 can optionally include wherein the first environmental factor is selected from one or more of the group comprising location of the communication device, whether the communications device is communicatively coupled to a wireless communications network, time of day, whether the communications device detects transmissions from another computing node, audible noise sensed by the communications device, and altitude sensed by the communications device.
  • In example 11 the subject matter of the Examples 1-10 can optionally include wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
  • In another embodiment of example 11 the subject matter of the Examples 1-10 can optionally include determining a second environmental factor for the mobile communications device; and determining the first security authentication level based on the determined first and second environmental factors. Such first and second factors may include device location and the detection of transmissions from another computing node.
  • In example 12 the subject matter of the Examples 1-11 can optionally include wherein the first security authentication level corresponds to first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module; wherein the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric. The biometric may include, without limitations, recognition of a user's vein or vessel pattern or characteristic, hand geometry, ocular blood vessels, gait, electrocardiogram, keyboard/mouse/touch/gesture dynamics, eye movements and the like. Additional “password-like” mechanisms may include recognition of a user's picture password, drawable pattern, passphrase, and the like. Additional “token-like” mechanisms may include, for example, a wearable companion device (e.g., watch, headset, head-mounted display, and the like), smartcard, SIM card, docking station or other peripherals, medical sensor device, and the like.
  • In another embodiment of example 12 the subject matter of the Examples 1-11 can optionally include wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels; wherein the first security authentication level corresponds to first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module; wherein the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
  • In example 13 the subject matter of the Examples 1-12 can optionally include an apparatus comprising means for performing any one of claims 1 to 12.
  • In example 14 the subject matter of the Examples 1-12 can optionally include at least one storage medium having instructions stored thereon for causing a system to carry out a method according to any one of claims 1 to 12.
  • Example 15 includes a method executed by at least one processor comprising: receiving a communication from a computing node; determining a first characteristic for the communication; determining a first security authentication level based on the determined first characteristic; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • In example 16 the subject matter of the Example 15 can optionally include wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
  • In another embodiment of example 16 the subject matter of the Example 15 can optionally include determining a second characteristic for the communication; and determining the first security authentication level based on the determined first and second characteristics. For example, the first characteristic may be the type of message (e.g., SMS text versus voice message) and the second characteristic may be the identity of the sender. Thus, a text from a daughter may be treated differently than a text from a boss or a voice message from the daughter.
  • In example 17 the subject matter of the Examples 15-16 can optionally include determining a first environmental factor for a mobile communications device, the mobile computing device including the at least one processor; determining a second security authentication level based on the determined first environmental factor; and allowing access to the communication based on the first and second security authentication levels.
  • In example 18 the subject matter of the Examples 15-17 can optionally include allowing access to a first module of the mobile communications device based on the second security authentication level and disallowing access to a second module of the mobile communications device based on the second security authentication level.
  • In example 19 the subject matter of the Examples 15-18 can optionally include wherein determining the first environmental factor includes determining a location of the mobile communications device, the method further comprising determining whether the location is included in a predetermined group of locations.
  • In example 20 the subject matter of the Examples 15-19 can optionally include wherein determining the first environmental factor includes determining whether the communications device is communicatively coupled to a wireless communications network.
  • In example 21 the subject matter of the Examples 15-20 can optionally include at least one storage medium having instructions stored thereon for causing a system to carry out a method according to any one of claims 15 to 20.
  • Example 22 includes an apparatus comprising: at least one memory and at least one processor, coupled to the at least one memory, to perform operations comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level.
  • In example 23 the subject matter of the Example 22 can optionally include wherein the at least one processor is to perform operations comprising disallowing access to a second module of the mobile communications device based on the first security authentication level.
  • In another embodiment of example 23 the subject matter of the Example 22 can optionally include determining a second environmental factor for the mobile communications device; and determining the first security authentication level based on the determined first and second environmental factors.
  • In example 24 the subject matter of the Examples 22-23 can optionally include wherein determining the first environmental factor includes determining a location of the mobile communications device and the at least one processor is to perform operations comprising determining whether the location is included in a predetermined group of locations.
  • In example 25 the subject matter of the Examples 22-24 can optionally include wherein the at least one processor is to perform operations comprising: receiving a communication from an additional computing node; determining a first characteristic for the communication; determining a second security authentication level based on the determined first characteristic; and allowing access to the communication based on the first and second security authentication levels.
  • In example 26 the subject matter of the Examples 22-25 can optionally include wherein the at least one processor is to perform operations comprising: receiving a communication from an additional computing node; determining a first characteristic for the communication; and allowing access to the communication based on the first characteristic and the first security authentication level.
  • An embodiment includes a processing system comprising: means for determining a first environmental factor for a mobile communications device; means for determining a first security authentication level based on the determined first environmental factor; and means for allowing access to a first module of the mobile communications device based on the first security authentication level. An embodiment includes means for disallowing access to a second module of the mobile communications device based on the first security authentication level. An embodiment includes means for determining a second security authentication level based on the determined first environmental factor; and allowing access to a second module of the mobile communications device based on the second security authentication level. An embodiment includes means for determining the first environmental factor by determining a location of the mobile communications device. An embodiment includes means for determining whether the location is included in a predetermined group of locations. An embodiment includes means for determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network. An embodiment includes means for determining the first environmental factor by determining whether the communications device has communicated a threshold level of data via the wireless communications network. An embodiment includes means for receiving a communication from an additional computing node; means for determining a first characteristic for the communication; means for determining a second security authentication level based on the determined first characteristic; and means for allowing access to the communication based on the first and second security authentication levels. An embodiment includes means for receiving a communication from an additional computing node; means for determining a first characteristic for the communication; and means for allowing access to the communication based on the first characteristic and the first security authentication level.
  • An embodiment includes a processing system comprising: means for receiving a communication from a computing node; means for determining a first characteristic for the communication; means for determining a first security authentication level based on the determined first characteristic; and means for allowing access to the communication based on the first characteristic and the first security authentication level. An embodiment includes means for determining the first security authentication level by selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels. An embodiment includes means for determining a first environmental factor for a mobile communications device, the mobile computing device including the at least one processor; means for determining a second security authentication level based on the determined first environmental factor; and means for allowing access to the communication based on the first and second security authentication levels. An embodiment includes means for allowing access to a first module of the mobile communications device based on the second security authentication level and disallowing access to a second module of the mobile communications device based on the second security authentication level. An embodiment includes means for determining the first environmental factor by determining a location of the mobile communications device, the method further comprising determining whether the location is included in a predetermined group of locations. An embodiment includes means for determining the first environmental factor by determining whether the communications device is communicatively coupled to a wireless communications network.
  • All optional features of the apparatus described above may also be implemented with respect to the method or process described herein. While the present invention has been described with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the true spirit and scope of this present invention.

Claims (25)

1. A method executed by at least one processor comprising:
determining a first environmental factor for a mobile communications device;
determining a first security authentication level based on the determined first environmental factor; and
allowing access to a first module of the mobile communications device based on the first security authentication level.
2. The method of claim 1 comprising disallowing access to a second module of the mobile communications device based on the first security authentication level.
3. The method of claim 1 comprising:
determining a second security authentication level based on the determined first environmental factor; and
allowing access to a second module of the mobile communications device based on the second security authentication level.
4. The method of claim 1, wherein determining the first environmental factor includes determining a location of the mobile communications device.
5. The method of claim 4 comprising determining whether the location is included in a predetermined group of locations.
6. The method of claim 1, wherein determining the first environmental factor includes determining whether the communications device is communicatively coupled to a wireless communications network.
7. The method of claim 1, wherein determining the first environmental factor includes detecting transmissions from another computing node.
8. The method of claim 1 comprising:
receiving a communication from an additional computing node;
determining a first characteristic for the communication;
determining a second security authentication level based on the determined first characteristic; and
allowing access to the communication based on the first and second security authentication levels.
9. The method of claim 1 comprising:
receiving a communication from an additional computing node;
determining a first characteristic for the communication; and
allowing access to the communication based on the first characteristic and the first security authentication level.
10. The method of claim 1, wherein the first environmental factor is selected from one or more of the group comprising location of the communication device, whether the communications device is communicatively coupled to a wireless communications network, whether the communications device detects transmissions from another computing node, time of day, audible noise sensed by the communications device, and altitude sensed by the communications device.
11-14. (canceled)
15. At least one storage medium having instructions stored thereon for causing a system to:
receive a communication from a computing node;
determine a first characteristic for the communication;
determine a first security authentication level based on the determined first characteristic; and
allow access to the communication based on the first characteristic and the first security authentication level.
16. The at least one medium of claim 15, wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
17. The at least one medium of claim 15 comprising instructions to:
determine a first environmental factor for a mobile communications device, the mobile computing device including the at least one processor;
determine a second security authentication level based on the determined first environmental factor; and
allow access to the communication based on the first and second security authentication levels.
18. The at least one medium of claim 17, wherein determining the first environmental factor includes detecting transmissions from another computing node.
19. The at least one medium of claim 17, wherein determining the first environmental factor includes determining a location of the mobile communications device, the method further comprising determining whether the location is included in a predetermined group of locations.
20-21. (canceled)
22. An apparatus comprising:
at least one memory and at least one processor, coupled to the at least one memory, to perform operations comprising:
determining a first environmental factor for a mobile communications device;
determining a first security authentication level based on the determined first environmental factor; and
allowing access to a first module of the mobile communications device based on the first security authentication level.
23. (canceled)
24. The apparatus of claim 22, wherein determining the first environmental factor includes determining a location of the mobile communications device and the at least one processor is to perform operations comprising determining whether the location is included in a predetermined group of locations.
25. (canceled)
26. The at least one medium of claim 1, wherein determining the first security authentication level includes selecting the first security authentication level but not selecting second or third security authentication levels, the first, second, and third security authentication levels being included in a plurality of security authentication levels.
27. The at least one medium of claim 26, wherein:
the first security authentication level corresponds to first authentication module, the second security authentication level corresponds to a second authentication module, and the third security authentication level corresponds to a third authentication module;
the first, second, and third security authentication modules are each selected from the group comprising retinal scanning, iris scanning, facial recognition, a password having a first length, a password having a second length longer than the first length, fingerprint recognition, voice recognition, a personal identification number (PIN), a radio frequency identification (RFID), a security token, and a biometric.
28. The at least one medium of claim 17 comprising instructions to allow access to a first module of the mobile communications device based on the second security authentication level and disallow access to a second module of the mobile communications device based on the second security authentication level.
29. The apparatus of claim 22, wherein the at least one processor is to perform operations comprising disallowing access to a second module of the mobile communications device based on the first security authentication level.
US14/127,215 2013-05-30 2013-05-30 Adaptive authentication systems and methods Abandoned US20140366128A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/282,601 US10666635B2 (en) 2013-05-30 2019-02-22 Adaptive authentication systems and methods
US16/847,941 US20200314079A1 (en) 2013-05-30 2020-04-14 Adaptive authentication systems and methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2013/043482 WO2014193396A1 (en) 2013-05-30 2013-05-30 Adaptive authentication systems and methods

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/043482 A-371-Of-International WO2014193396A1 (en) 2013-05-30 2013-05-30 Adaptive authentication systems and methods

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/282,601 Continuation US10666635B2 (en) 2013-05-30 2019-02-22 Adaptive authentication systems and methods

Publications (1)

Publication Number Publication Date
US20140366128A1 true US20140366128A1 (en) 2014-12-11

Family

ID=51989253

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/127,215 Abandoned US20140366128A1 (en) 2013-05-30 2013-05-30 Adaptive authentication systems and methods
US16/282,601 Active US10666635B2 (en) 2013-05-30 2019-02-22 Adaptive authentication systems and methods
US16/847,941 Abandoned US20200314079A1 (en) 2013-05-30 2020-04-14 Adaptive authentication systems and methods

Family Applications After (2)

Application Number Title Priority Date Filing Date
US16/282,601 Active US10666635B2 (en) 2013-05-30 2019-02-22 Adaptive authentication systems and methods
US16/847,941 Abandoned US20200314079A1 (en) 2013-05-30 2020-04-14 Adaptive authentication systems and methods

Country Status (4)

Country Link
US (3) US20140366128A1 (en)
EP (2) EP3005607B1 (en)
CN (2) CN110096855B (en)
WO (1) WO2014193396A1 (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9160729B2 (en) * 2013-08-20 2015-10-13 Paypal, Inc. Systems and methods for location-based device security
US20150332032A1 (en) * 2014-05-13 2015-11-19 Google Technology Holdings LLC Electronic Device with Method for Controlling Access to Same
US20150347732A1 (en) * 2014-05-29 2015-12-03 Google Technology Holdings LLC Electronic Device and Method for Controlling Access to Same
US9276887B2 (en) * 2014-03-19 2016-03-01 Symantec Corporation Systems and methods for managing security certificates through email
US9349035B1 (en) * 2014-06-13 2016-05-24 Maxim Integrated Products, Inc. Multi-factor authentication sensor for providing improved identification
US20160171300A1 (en) * 2014-12-15 2016-06-16 Fujitsu Limited Authentication apparatus and method
US20160203362A1 (en) * 2015-04-15 2016-07-14 Mediatek Inc. Air Writing And Gesture System With Interactive Wearable Device
US20160316366A1 (en) * 2015-04-23 2016-10-27 Kyocera Corporation Electronic device and voiceprint authentication method
US9485655B1 (en) * 2015-02-11 2016-11-01 EMC IP Holding Company LLC Providing power control to an electronic device using authentication
US20170070510A1 (en) * 2015-09-09 2017-03-09 Yahoo! Inc On-line account recovery
US9680812B1 (en) * 2014-03-27 2017-06-13 EMC IP Holding Company LLC Enrolling a user in a new authentication procdure only if trusted
US20170171177A1 (en) * 2015-12-11 2017-06-15 Paypal, Inc. Authentication via item recognition
US9867046B2 (en) 2014-08-07 2018-01-09 Yahoo Holdings, Inc. Services access for mobile devices
US20180048646A1 (en) * 2015-03-23 2018-02-15 Zte Corporation Method and Apparatus for Managing Graded Cipher
US9948479B2 (en) * 2016-04-05 2018-04-17 Vivint, Inc. Identification graph theory
CN108351924A (en) * 2015-06-30 2018-07-31 默菲信美国有限责任公司 Electronic security(ELSEC) container
US10235511B2 (en) 2013-04-19 2019-03-19 Pearson Education, Inc. Authentication integrity protection
WO2019054582A1 (en) * 2017-09-15 2019-03-21 Lg Electronics Inc. Digital device and biometric authentication method therein
US20190215663A1 (en) * 2018-01-11 2019-07-11 Htc Corporation Portable electronic device, operating method for the same, and non-transitory computer readable recording medium
US10356096B2 (en) * 2017-02-17 2019-07-16 At&T Intellectual Property I, L.P. Authentication using credentials submitted via a user premises device
US10430566B2 (en) * 2016-12-27 2019-10-01 Paypal, Inc. Vehicle based electronic authentication and device management
US10630693B1 (en) * 2015-05-05 2020-04-21 Wells Fargo Bank, N.A. Adaptive Authentication
US10681037B2 (en) * 2017-06-29 2020-06-09 Amadeus S.A.S. Terminal authentication
US10693874B2 (en) 2013-04-19 2020-06-23 Pearson Education, Inc. Authentication integrity protection
US10728500B2 (en) 2018-06-13 2020-07-28 At&T Intellectual Property I, L.P. Object-managed secured multicast system
US10896673B1 (en) * 2017-09-21 2021-01-19 Wells Fargo Bank, N.A. Authentication of impaired voices
US10911432B2 (en) * 2014-02-28 2021-02-02 Siemens Aktiengesellschaft Use of certificates using a positive list
US20220147611A1 (en) * 2019-02-25 2022-05-12 Sony Group Corporation Information processing apparatus, information processing method, and program

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101898177B1 (en) * 2013-01-08 2018-09-12 이데라 파마슈티칼즈, 인코포레이티드 Immune regulatory oligonucleotide (iro) compounds to modulate toll-like receptor based immune response
US9521122B2 (en) * 2014-05-09 2016-12-13 International Business Machines Corporation Intelligent security analysis and enforcement for data transfer
CN106254378B (en) * 2016-09-09 2020-02-07 宇龙计算机通信科技(深圳)有限公司 Safety control method and system for Near Field Communication (NFC) mobile terminal
US11100204B2 (en) * 2018-07-19 2021-08-24 Motorola Mobility Llc Methods and devices for granting increasing operational access with increasing authentication factors
CN110096865B (en) * 2019-05-13 2021-07-23 北京三快在线科技有限公司 Method, device and equipment for issuing verification mode and storage medium
CN111046372B (en) * 2019-12-04 2023-05-23 深圳模微半导体有限公司 Method for information security authentication between communication devices, chip and electronic device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030005480A1 (en) * 1997-03-11 2003-01-02 Yuko Ohashi Stress resistant plant in which cell death suppressing gene is introduced and method for producing the same
US20030054800A1 (en) * 2001-09-17 2003-03-20 Nec Corporation Individual authentication method for portable communication equipment and program product therefore
US20050039013A1 (en) * 2003-08-11 2005-02-17 Bajikar Sundeep M. Method and system for authenticating a user of a computer system that has a trusted platform module (TPM)
US20100004816A1 (en) * 2008-07-07 2010-01-07 International Business Machines Corporation System and method for gathering and submitting data to a third party in response to a vehicle being involved in an accident
US20100048167A1 (en) * 2008-08-21 2010-02-25 Palo Alto Research Center Incorporated Adjusting security level of mobile device based on presence or absence of other mobile devices nearby
US20120159183A1 (en) * 2010-12-16 2012-06-21 Research In Motion Limited Method and apparatus for securing a computing device

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7591020B2 (en) 2002-01-18 2009-09-15 Palm, Inc. Location based security modification system and method
US20040039909A1 (en) * 2002-08-22 2004-02-26 David Cheng Flexible authentication with multiple levels and factors
US7636853B2 (en) * 2003-01-30 2009-12-22 Microsoft Corporation Authentication surety and decay system and method
US7913084B2 (en) * 2006-05-26 2011-03-22 Microsoft Corporation Policy driven, credential delegation for single sign on and secure access to network resources
US8381306B2 (en) * 2006-05-30 2013-02-19 Microsoft Corporation Translating role-based access control policy to resource authorization policy
US8418222B2 (en) * 2008-03-05 2013-04-09 Microsoft Corporation Flexible scalable application authorization for cloud computing environments
CN101854581B (en) * 2009-03-31 2013-10-02 联想(北京)有限公司 Method for setting security level of mobile terminal on basis of position information and mobile terminal
US8214446B1 (en) * 2009-06-04 2012-07-03 Imdb.Com, Inc. Segmenting access to electronic message boards
US8555077B2 (en) 2011-11-23 2013-10-08 Elwha Llc Determining device identity using a behavioral fingerprint
WO2013059464A1 (en) * 2011-10-18 2013-04-25 Google Inc. Context-dependent authentication
CN102404686A (en) * 2011-11-21 2012-04-04 鸿富锦精密工业(深圳)有限公司 Safety control system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030005480A1 (en) * 1997-03-11 2003-01-02 Yuko Ohashi Stress resistant plant in which cell death suppressing gene is introduced and method for producing the same
US20030054800A1 (en) * 2001-09-17 2003-03-20 Nec Corporation Individual authentication method for portable communication equipment and program product therefore
US20050039013A1 (en) * 2003-08-11 2005-02-17 Bajikar Sundeep M. Method and system for authenticating a user of a computer system that has a trusted platform module (TPM)
US20100004816A1 (en) * 2008-07-07 2010-01-07 International Business Machines Corporation System and method for gathering and submitting data to a third party in response to a vehicle being involved in an accident
US20100048167A1 (en) * 2008-08-21 2010-02-25 Palo Alto Research Center Incorporated Adjusting security level of mobile device based on presence or absence of other mobile devices nearby
US20120159183A1 (en) * 2010-12-16 2012-06-21 Research In Motion Limited Method and apparatus for securing a computing device

Cited By (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10691784B2 (en) 2013-04-19 2020-06-23 Pearson Education, Inc. Authentication integrity protection
US10235511B2 (en) 2013-04-19 2019-03-19 Pearson Education, Inc. Authentication integrity protection
US10693874B2 (en) 2013-04-19 2020-06-23 Pearson Education, Inc. Authentication integrity protection
US10691783B2 (en) 2013-04-19 2020-06-23 Pearson Education, Inc. Authentication integrity protection
US9160729B2 (en) * 2013-08-20 2015-10-13 Paypal, Inc. Systems and methods for location-based device security
US10958635B2 (en) 2013-08-20 2021-03-23 Paypal, Inc. Systems and methods for location-based device security
US9794243B2 (en) 2013-08-20 2017-10-17 Paypal, Inc. Systems and methods for location-based device security
US10243944B2 (en) 2013-08-20 2019-03-26 Paypal, Inc. Systems and methods for location-based device security
US10911432B2 (en) * 2014-02-28 2021-02-02 Siemens Aktiengesellschaft Use of certificates using a positive list
US9276887B2 (en) * 2014-03-19 2016-03-01 Symantec Corporation Systems and methods for managing security certificates through email
US9680812B1 (en) * 2014-03-27 2017-06-13 EMC IP Holding Company LLC Enrolling a user in a new authentication procdure only if trusted
US9710629B2 (en) * 2014-05-13 2017-07-18 Google Technology Holdings LLC Electronic device with method for controlling access to same
US10255417B2 (en) 2014-05-13 2019-04-09 Google Technology Holdings LLC Electronic device with method for controlling access to same
US20150332032A1 (en) * 2014-05-13 2015-11-19 Google Technology Holdings LLC Electronic Device with Method for Controlling Access to Same
US20150347732A1 (en) * 2014-05-29 2015-12-03 Google Technology Holdings LLC Electronic Device and Method for Controlling Access to Same
US9349035B1 (en) * 2014-06-13 2016-05-24 Maxim Integrated Products, Inc. Multi-factor authentication sensor for providing improved identification
US9867046B2 (en) 2014-08-07 2018-01-09 Yahoo Holdings, Inc. Services access for mobile devices
US20160171300A1 (en) * 2014-12-15 2016-06-16 Fujitsu Limited Authentication apparatus and method
US9485655B1 (en) * 2015-02-11 2016-11-01 EMC IP Holding Company LLC Providing power control to an electronic device using authentication
US20180048646A1 (en) * 2015-03-23 2018-02-15 Zte Corporation Method and Apparatus for Managing Graded Cipher
US10055563B2 (en) * 2015-04-15 2018-08-21 Mediatek Inc. Air writing and gesture system with interactive wearable device
US20160203362A1 (en) * 2015-04-15 2016-07-14 Mediatek Inc. Air Writing And Gesture System With Interactive Wearable Device
US20160316366A1 (en) * 2015-04-23 2016-10-27 Kyocera Corporation Electronic device and voiceprint authentication method
US9807611B2 (en) * 2015-04-23 2017-10-31 Kyocera Corporation Electronic device and voiceprint authentication method
US11575678B1 (en) 2015-05-05 2023-02-07 Wells Fargo Bank, N.A. Adaptive authentication
US10630693B1 (en) * 2015-05-05 2020-04-21 Wells Fargo Bank, N.A. Adaptive Authentication
CN108351924A (en) * 2015-06-30 2018-07-31 默菲信美国有限责任公司 Electronic security(ELSEC) container
US10135801B2 (en) * 2015-09-09 2018-11-20 Oath Inc. On-line account recovery
US20170070510A1 (en) * 2015-09-09 2017-03-09 Yahoo! Inc On-line account recovery
US20170171177A1 (en) * 2015-12-11 2017-06-15 Paypal, Inc. Authentication via item recognition
US10397208B2 (en) * 2015-12-11 2019-08-27 Paypal, Inc. Authentication via item recognition
US10505753B2 (en) 2016-04-05 2019-12-10 Vivint, Inc. Identification graph theory
US9948479B2 (en) * 2016-04-05 2018-04-17 Vivint, Inc. Identification graph theory
US10430566B2 (en) * 2016-12-27 2019-10-01 Paypal, Inc. Vehicle based electronic authentication and device management
US10356096B2 (en) * 2017-02-17 2019-07-16 At&T Intellectual Property I, L.P. Authentication using credentials submitted via a user premises device
US11122045B2 (en) 2017-02-17 2021-09-14 At&T Intellectual Property I, L.P. Authentication using credentials submitted via a user premises device
US10681037B2 (en) * 2017-06-29 2020-06-09 Amadeus S.A.S. Terminal authentication
WO2019054582A1 (en) * 2017-09-15 2019-03-21 Lg Electronics Inc. Digital device and biometric authentication method therein
US10635798B2 (en) 2017-09-15 2020-04-28 Lg Electronics Inc. Digital device and biometric authentication method therein
US10896673B1 (en) * 2017-09-21 2021-01-19 Wells Fargo Bank, N.A. Authentication of impaired voices
US11935524B1 (en) 2017-09-21 2024-03-19 Wells Fargo Bank, N.A. Authentication of impaired voices
US20190215663A1 (en) * 2018-01-11 2019-07-11 Htc Corporation Portable electronic device, operating method for the same, and non-transitory computer readable recording medium
US11089446B2 (en) * 2018-01-11 2021-08-10 Htc Corporation Portable electronic device, operating method for the same, and non-transitory computer readable recording medium
US10728500B2 (en) 2018-06-13 2020-07-28 At&T Intellectual Property I, L.P. Object-managed secured multicast system
US20220147611A1 (en) * 2019-02-25 2022-05-12 Sony Group Corporation Information processing apparatus, information processing method, and program

Also Published As

Publication number Publication date
CN105164970B (en) 2019-12-17
WO2014193396A1 (en) 2014-12-04
EP3005607B1 (en) 2020-01-08
CN105164970A (en) 2015-12-16
US20200314079A1 (en) 2020-10-01
CN110096855A (en) 2019-08-06
US20190190901A1 (en) 2019-06-20
CN110096855B (en) 2023-08-15
EP3681125A1 (en) 2020-07-15
EP3005607A4 (en) 2017-01-18
EP3005607A1 (en) 2016-04-13
US10666635B2 (en) 2020-05-26

Similar Documents

Publication Publication Date Title
US10666635B2 (en) Adaptive authentication systems and methods
US11508382B2 (en) System, device and method for enforcing privacy during a communication session with a voice assistant
US9391985B2 (en) Environment-based two-factor authentication without geo-location
US10785210B2 (en) User-enabled, two-factor authentication service
US10575347B2 (en) Delivery of shared WiFi credentials
KR101857899B1 (en) Extending user authentication across a trust group of smart devices
US20160066184A1 (en) Pairing Computing Devices According To A Multi-Level Security Protocol
CN107113611B (en) User authentication confidence based on multiple devices
US10154026B2 (en) Secure remote modification of device credentials using device-generated credentials
EP3446457A1 (en) Two-factor authentication
US20190065777A1 (en) Approach to hide or display confidential incoming messages and/or notifications on a user interface
US10993090B2 (en) Network access method, apparatus, and system
US10979896B2 (en) Managing dynamic lockouts on mobile computing devices
Yohan et al. Dynamic multi-factor authentication for smartphone
US10931681B2 (en) Securing resources
Arimura et al. i/k-contact: A context-aware user authentication using physical social trust
US11526588B2 (en) Systems and methods for digital content anti-counterfeiting
CA3018853C (en) System, device and method for enforcing privacy during a communication session with a voice assistant

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTEL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VENKATESWARAN, VENKY P.;MARTIN, JASON;PRAKASH, GYAN;SIGNING DATES FROM 20150317 TO 20150331;REEL/FRAME:035306/0077

STCV Information on status: appeal procedure

Free format text: NOTICE OF APPEAL FILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION