US20190236257A1 - Identity Proxy for Access Control Systems - Google Patents
Identity Proxy for Access Control Systems Download PDFInfo
- Publication number
- US20190236257A1 US20190236257A1 US16/378,306 US201916378306A US2019236257A1 US 20190236257 A1 US20190236257 A1 US 20190236257A1 US 201916378306 A US201916378306 A US 201916378306A US 2019236257 A1 US2019236257 A1 US 2019236257A1
- Authority
- US
- United States
- Prior art keywords
- electronic device
- user
- proxy
- security token
- signal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
- G06V40/12—Fingerprints or palmprints
- G06V40/1365—Matching; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
- G06F21/35—User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
-
- G06K9/0002—
-
- G06K9/00087—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
- G06V40/12—Fingerprints or palmprints
- G06V40/13—Sensors therefor
- G06V40/1306—Sensors therefor non-optical, e.g. ultrasonic or capacitive sensing
Definitions
- the present disclosure relates generally to access control systems for electronic devices, and more particularly, to systems and methods for using portable security tokens as identity proxies for access control systems.
- An electronic device can include access control features to limit or prevent unauthorized access to the content or functionality of the device until a user's identity is confirmed.
- a smartphone may require entry of a passcode before information stored on (or accessible to) the smartphone can be obtained. Once unlocked, the smartphone can re-lock after a certain timeout period has expired.
- Electronic devices that can include access control features include cellular phones, smartphones, handheld computing devices, tablet computing devices, laptop computers, desktop computers, home appliances, personal electronic accessories, automobiles, home automation and/or security systems, medical devices, health devices, sports devices, wearable devices and so on.
- Embodiments described herein may relate to, include, or take the form of a method of authorizing access to a system with a plurality of electronic devices, the method including at least the operations of receiving a modulated capacitance signal, requesting a credential associated with a user authorized to access the system (e.g., biometric information such as a fingerprint), requesting that the user authorize the modulated capacitance signal as a proxy for the credential, and upon receiving user authorization permitting access to any of the plurality of electronic devices that receives the modulated capacitance signal within a selected timeout period, and denying access to each of the plurality of electronic devices once the timeout period has expired.
- a credential associated with a user authorized to access the system e.g., biometric information such as a fingerprint
- access or denial of access can be correlated to geographic regions.
- modulated capacitance signals can originate from a portable authentication token in contact with the user's body.
- the token can be a ring worn on a user's finger, a band worn on a user's limb, a capsule ingested by a user, or an electronic device implanted within the user's body.
- the modulated capacitance signal can take the form of a digital code, such as a universally unique identifier (“UUID”).
- UUID universally unique identifier
- the modulated capacitance signal can take the form of the output of a one-way function, such as a hash function.
- the modulated capacitance signal can take the form of the output of an asymmetric key generation algorithm.
- the modulated capacitance signal can take the form of a rolling code.
- Some embodiments described herein may relate to a method of authorizing access to an electronic device, the method including at least the operations of receiving a modulated capacitance signal, determining whether the modulated capacitance signal may be authorized as a proxy for a credential associated with an operating user authorized to access the electronic device, and upon determining that the modulated capacitance signal may be authorized, permitting access to the electronic device associated with the operating user.
- Still further embodiments described herein may relate to, include, or take the form of a method of obtaining authorized access to a secure electronic device associated with a system of electronic devices, the method including at least the operations of sending a modulated capacitance signal corresponding to a unique identifier to an enrollment device, receiving a request from the enrollment device to provide a biometric credential associated with an authorized user of the system, providing the biometric credential, receiving a request from the secure electronic device to authorize the unique identifier as a proxy as a proxy for the biometric credential, and sending the modulated capacitance signal to the secure electronic device to obtain access to the secure electronic device.
- FIG. 1 depicts a front view of an example electronic device operated by a user with a hardware security token.
- FIG. 2 depicts a simplified signal flow diagram of an access control system for use with an electronic device.
- FIG. 3 depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- FIG. 4A depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- FIG. 4B depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- FIG. 5A depicts a front view of an example electronic device system operated by a user with a hardware security token.
- FIG. 5B depicts a front view of an electronic device associated with the system of FIG. 5A , permitting access by accepting a security token signal as a proxy for the credentials of a previously-authenticated user.
- FIG. 6 depicts example operations of a method of using a security token signal as a proxy for the credentials of a previously-authenticated user.
- FIG. 7A depicts a front view of another example electronic device system operated by a user with a hardware security token.
- FIG. 7B depicts a front view of an electronic device associated with the system of FIG. 7A , permitting limited access by accepting a security token signal as a proxy for the credentials of a previously-authenticated limited-access user.
- FIG. 8 depicts example operations of a method of controlling access associated with a security token signal as a proxy for the credentials of a previously-authenticated user.
- embodiments may permit a user to access, control, and otherwise interact with electronic devices and/or systems.
- a token may be carried by or associated with a user. So long as the user maintains the association with the token, the user can interact with the electronic device.
- the token may permit device access for a set period or indefinitely, and may replace or augment a password or other security measure.
- the user's natural body capacitance may modulate a signal between the token and the device, thereby inherently limiting the reach of the token's authority and thus enhancing security.
- Embodiments described herein relate to access control for electronic devices and systems.
- a user may have authorization to access the content and features of an electronic device.
- the electronic device may provide an access control feature such as a passcode or password as a challenge to the user to prove or confirm the user's identity. After the user provides the correct passcode, the electronic device can permit access to the content or features of the electronic device. In other words, an unknown user is identified as an authorized user when the electronic device receives a recognized passcode.
- an authorized user of an electronic device can deputize a proxy that may identify the user to the electronic device.
- the user may select a unique signal or code, sent in one example from a hardware security token, as a proxy for that user's identity.
- a hardware security token such as a keyfob
- a hardware security token can generate a unique signal that can be detected by an electronic device.
- the electronic device can detect the unique signal (“proxy signal”).
- proxy signal the electronic device can consider the identity of the user to be confirmed, and, accordingly, permit access to the content and features of the electronic device without requiring entry of the passcode or password.
- a hardware security token can transmit the proxy signal wirelessly.
- the hardware security token can transmit over standardized protocols such as, but not necessarily limited to, Near Field Communication, Wi-Fi or Bluetooth. In other examples, other wireless protocols can be used.
- the transmit strength of the hardware security token may be intentionally limited so as to define a radius beyond which the proxy signal cannot be detected by the electronic device.
- the hardware security token can transmit the proxy signal via frequency and/or amplitude modulated light.
- the hardware security token can transmit an infrared signal. In some embodiments, other frequency bands may be used. In some examples, the maximum brightness output by the hardware security token can be intentionally limited.
- the hardware security token can transmit the proxy signal through a user's body via intrabody communication (“intrabody security token”).
- intrabody security token can transmit the signal by modulating the body capacitance of the user.
- a single proxy signal can be output by more than one hardware security tokens.
- a user may deputize a single proxy signal as an identity proxy for a particular electronic device, but that user may obtain multiple hardware security tokens and may configure each token to output the same proxy signal.
- multiple proxy signals can be used as identity proxies for the same user.
- a single proxy signal (or a single hardware security token) can be deputized by a user as an identity proxy for a system of electronic devices owned and/or managed by the user.
- a user may have a cellular telephone, a tablet computer, a laptop computer, a desktop computer, and a vehicle.
- Each of these electronic devices may be connected to a central account associated with the user.
- the central account can be managed by the user, a third party, as a mesh network between each of the devices, and so on.
- a user may be required to recall and enter six separate passcodes and/or passwords to access each of the six electronic devices.
- the user can deputize a signal (and/or hardware security token) as a proxy for the central account associated with each device.
- a signal and/or hardware security token
- each device can consider the user to be appropriately identified.
- the user described above can deputize an intrabody security token.
- the cellular phone can detect the proxy signal from the intrabody security token and, in response, can automatically unlock.
- the tablet can automatically unlock despite the fact that the tablet and the cellular phone can be secured with different passcodes or passwords.
- the vehicle can unlock.
- FIG. 1 depicts a front view of an example electronic device operated by a user in conjunction with a hardware security token that the user may keep with her at all times.
- the user 102 may attach the hardware security token 100 to herself.
- the hardware security token 100 can be attached via a band or strap to the users' wrist.
- different means of keeping the hardware security token 100 in the user's possession can be used.
- the hardware security token 100 can be kept by the user in a pocket or on a keychain.
- the hardware security token 100 can be kept in a wallet or purse.
- the hardware security token 100 may be worn as an accessory such as a bracelet, necklace, earring, anklet, earpiece, and so on.
- a hardware security token may be configured to generate a unique signal or code that can be detected by an electronic device 104 .
- the unique signal or code can take the form of a digital code, such as a UUID.
- the unique signal or code can take the form of the digest of a one-way function, such as a cryptographic hash function (e.g., MD5, SHA3, and so on).
- the unique signal or code can take the form of the output of an asymmetric key generation algorithm.
- the unique signal or code can take the form of a rolling code.
- the user 102 can deputize the hardware security token 100 as a proxy for the user's identity known to the electronic device 104 .
- the electronic device 104 can detect the presence of a hardware security token 100 by monitoring for the unique code or signal output from the hardware security token 100 .
- the electronic device 104 can request can request permission from the user 102 to deputize the hardware security token 100 .
- the electronic device 104 can request the user 102 's permission by showing a confirmation dialog 108 on a display 106 .
- a user can interact with the confirmation dialog 108 to authorize the hardware security token 100 .
- the hardware security token 100 can be considered by the electronic device 104 as an identity proxy for the user 102 .
- the electronic device can request the user enter a particular authorization code.
- the electronic device can request the user enter a hardware code associated with the hardware security token (e.g., model number, serial number, and so on).
- the hardware security token 100 can be deputized automatically or by any other process.
- the unique code or signal is generally referred to herein as a “proxy signal.”
- the hardware security token 100 can transmit the proxy signal wirelessly.
- the hardware security token 100 can transmit over standardized protocols such as, but not necessarily limited to, Near Field Communication, Wi-Fi or Bluetooth. In other examples, other wireless protocols (including proprietary protocols) can be used.
- the hardware security token 100 may include a processor, a memory for storing instructions executed by the processor, a battery or other power source, and one or more wireless communication modules.
- the processor can execute instructions stored in the memory in order to generate the proxy signal. The processor can direct the proxy signal to the wireless communication module for transmission.
- the transmit strength of the wireless communication module of the hardware security token 100 may be intentionally limited so as to define a radius beyond which the proxy signal cannot be readily detected. In many cases, the transmit strength can be determined by the processor of the hardware security token 100 . In other examples, the transmit strength can be physically limited by selecting specific geometry for an antenna associated with the wireless transmit module. In still further embodiments, the transmit strength can be dynamically variable by the processor of the hardware security token 100 , or may be selectable by the user 102 .
- the hardware security token 100 can transmit the proxy signal via frequency and/or amplitude modulated light. In one embodiment, the hardware security token 100 can transmit over infrared. In such examples, the hardware security token 100 may include an infrared light emitting diode. In some embodiments, other frequency bands of light may be used. For example, the hardware security token 100 may transmit the proxy signal with visible light. As with some embodiments described herein, the maximum brightness output by the hardware security token 100 can be intentionally limited so as to define a maximum transmit radius.
- the hardware security token 100 can transmit the proxy signal through a body of user 102 via intrabody communication.
- intrabody communication can be intentionally limited and/or attenuated so as to define a distance from the user's body beyond which the proxy signal cannot be readily detected.
- modulation of the body capacitance of the user can be detectable only on a user's touch.
- modulation of the body capacitance of the user can be detectable only within a few centimeters of the user's skin.
- a hardware security token configured for intrabody communication is generally referred to herein as an “intrabody security token.”
- the intrabody security token 100 can transmit the proxy signal by modulating the body capacitance of the user 102 .
- the intrabody security token 100 may augment the capacitance of the user's body with respect to ground so as to produce a modulated electrical signal measurable by the electronic device 104 once the user 102 touches the electronic device 104 .
- the intrabody security token 100 can produce a proxy signal that is detectable only when the user 102 touches, or is in very close physical proximity, to the electronic device 104 .
- a modulated capacitance signal may be described with respect to many embodiments herein, other intrabody communication techniques can be used. For example, ultrasonic signaling, galvanic coupling, intrabody optical transmission, and so on.
- the intrabody security token 100 can be worn by a user.
- the intrabody security token 100 can be formed as or included within a band worn on the user's limb.
- the intrabody security token 100 can be included within an accessory meant to be worn on a user's finger, toe, ear, or other body part.
- the intrabody security token 100 can be partially or fully implanted within a user, such as by piercing through a portion of the user's skin and/or being surgically implanted.
- the intrabody security token 100 can be formed into the user's skin via a tattooing process.
- the intrabody security token 100 may be in part formed from conductive ink.
- the intrabody security token 100 can be applied to the user's skin via an adhesive.
- the intrabody security token 100 can be temporarily or permanently utilized while it is within a user's body.
- the intrabody security token 100 may be formed on or within a user's tooth.
- the intrabody security token 100 can be included within a capsule or pill ingested by the user.
- the intrabody security token 100 can be included within a medical accessory or device configured to be worn or otherwise attached to a user such as an insulin pump, a defibrillator, an artificial joint, an embedded structure or device, a radiation or medication delivery device, an artificial limbs or appendage, a diagnostic device, and so on.
- FIG. 2 depicts a simplified signal flow diagram of an access control system for use with an electronic device.
- a hardware security token 200 may be in communication with an electronic device 204 .
- the hardware security token 200 can be capacitively coupled to the electronic device 204 via a capacitive interface 202 .
- the capacitive interface 202 can be the user's body capacitance that augmented or controlled by the hardware security token 200 .
- other means of communication between the hardware security token 200 and the electronic device 204 can be used.
- the electronic device 204 can have a processor 206 that is operably associated with a memory 208 , a biometric sensor 210 (e.g., fingerprint sensor), an input/output device 212 , and a display 214 .
- the processor 206 can be configured to execute one or more instructions stored in the memory 208 to perform or coordinate one or more functions or features of the electronic device 204 .
- additional or fewer components can be implemented within an electronic device 204 .
- certain electronic devices 204 may not necessarily include a biometric sensor 210 .
- the electronic device 204 can receive a proxy signal from the hardware security token 200 through a sensing unit 214 .
- the sensing unit 214 can vary from embodiment to embodiment, depending upon the type of proxy signal expected from a particular hardware security token 200 . For example, if a hardware security token 200 is configured for intrabody communication via modulating capacitance, the sensing unit 214 may be configured to monitor for changes in capacitance. In another embodiment, if a hardware security token 200 is configured for intrabody communication via Wi-Fi, the sensing unit 214 may be configured to monitor a Wi-Fi frequency band.
- FIG. 3 depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- the method can begin at operation 300 at which a hardware security token signal can be detected.
- the signal can be detected by an electronic device.
- a laptop computer can incorporate a sensing unit that is configured to measure, detect, or receive a hardware security token signal.
- operation 302 can be performed by an electronic device.
- the electronic device may simply request permission from a user to deputize the signal as a proxy for that user's identity.
- the electronic device can display a message on a screen of the device requesting such permission (see, e.g., FIG. 1 ).
- the electronic device may request a user's password or passcode before the electronic device accepts the signal as a proxy for that user's identity.
- the electronic device may request that the user provide biometric confirmation. For example, before the electronic device considers the signal as an identity proxy for the user, the electronic device can request the user authenticate the user's identity by proving a fingerprint.
- the method can continue to operation 306 at which the association between the hardware security token signal and the user's identity can be saved. Otherwise, the method can continue from operation 304 to operation 308 at which the detected hardware security token signal is disregarded and/or ignored.
- a cellular telephone can implement the method depicted in FIG. 3 .
- a user of the cellular phone can have a passcode to access the cellular phone. Once the user enters the passcode, the user has provided evidence to the cellular phone of the user's identity and the cellular phone can unlock in response.
- the user can have a hardware security token that outputs a particular unique signal.
- the cellular phone can ask the user whether the unique signal should be deputized as an identity proxy for the user.
- the user can approve the cellular phone's request by providing a fingerprint (in one example) to confirm the user's identity and approval. Thus, when the cellular phone next detects the proxy signal, the cellular phone can unlock without requiring the passcode.
- FIG. 4A depicts example operations of another method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- the method can begin at operation 400 which can receive a notification to monitor (“monitoring signal”) for a new security token signal for a selected period of time.
- the operation 400 can be performed, in some embodiments, by an electronic device.
- an electronic device can receive the monitoring signal over Wi-Fi or Bluetooth.
- the electronic device can receive the monitoring signal via a request from a remote system over the Internet.
- some electronic device can be connected, via the Internet, to one or more notification services (e.g., push notifications, email notifications, account notifications, and so on).
- notification services e.g., push notifications, email notifications, account notifications, and so on.
- the method can continue to operation 402 at which a security token signal can be received. Thereafter at 404 , the received signal can be compared to the new security token signal, and, if the signals match, the method can conclude at operation 406 , in which the received signal is deputized as an identity proxy for the currently active user.
- an identity proxy can be passed from user to user to access the same device.
- a parent can deputize a security token formed as a finger ring and configured to transmit the proxy signal via intrabody communication.
- the parent may access each of the parent's electronic devices (e.g., cell phone, tablet computer, and so on). If the parent removes the ring and give the ring to a child, the child can access the parent's electronic devices without separate permissions from the parent.
- an on-duty security guard may wear a wrist band configured to transmit the proxy signal via intrabody communication.
- the security guard can access secure areas within a building by touching an input panel configured to control access to the secure area.
- the security guard can pass the wrist band to the next security guard on duty.
- a security token may be lost or stolen.
- a user can revoke the privileges associated with the lost or stolen security token so that the lost or stolen token cannot be used to access the user's devices.
- a laptop computer can implement the method depicted in FIG. 4A .
- a user of the laptop computer can have a password to access the cellular phone. Once the user enters the password, the user has provided evidence to the laptops of the user's identity and the laptop can unlock in response.
- the laptop computer can receive a signal from another device (e.g., cellular telephone example as described with respect to FIG. 3 ) to monitor for a signal from a hardware security token. Once the laptop receives the signal, the laptop can deputize the signal as an identity proxy for the active user of the laptop.
- another device e.g., cellular telephone example as described with respect to FIG. 3
- a user can be possession of a hardware security token configured for intrabody communication as described with respect to FIG. 1 , a cellular phone configured to perform the method depicted in FIG. 3 , and a laptop configured to perform the method depicted in FIG. 4A .
- the user can grasp her cellular phone, which can after detecting the hardware security token signal, can automatically request to deputize it an identity proxy for the user.
- the cellular phone can then send a signal to laptop to deputize the signal for the same user. Thereafter, the user can touch the laptop in order to deputize the signal as the user's identity proxy thereon.
- deputizing the signal as an identity proxy for use with the cellular phone may be a two-step process for the user, whereas deputizing the signal as an identity proxy for use with the laptop may be a one-step process.
- FIG. 4B depicts example operations of yet another method of deputizing a hardware security token as an identity proxy for a previously-authenticated user.
- the method can begin at operation 408 , which can receive a notification to deputize a hardware security token signal as an identity proxy for a particular selected user.
- the instruction can be completed at operation 410 .
- the method depicted in FIG. 4B can be implemented on an electronic device that a particular user is authorized to access.
- a laptop computer can implement the method depicted in FIG. 4B , and can be in communication with a cellular phone that can implement the method depicted in FIG. 3 .
- the cellular phone receives permission from the user to deputize the hardware security token as an identity proxy for use with the cellular phone, the cellular phone can then send a signal to laptop to deputize the signal for the same user.
- deputizing the signal as an identity proxy for use with the cellular phone may be a two-step process for the user, whereas deputizing the signal as an identity proxy for use with the laptop may occur automatically.
- the method depicted in FIG. 4B can be implemented by a plurality of electronic devices each associated with a single electronic device system.
- the cellular phone can then send a signal to a plurality of electronic devices to deputize the signal for the same user. More particularly, each device associated with the electronic device system can receive a signal to deputize the same hardware security device token signal as an identity proxy for the same user.
- FIGS. 5A-5B each depict a front view of independent electronic devices of an example electronic device system operated by a user with a hardware security token configured for intrabody communication.
- FIG. 5A depicts an electronic device 504 implemented as a cellular phone that is operated by a user 502 in possession of a hardware security token 500 .
- the electronic device 504 can implement the method depicted in FIG. 3 As illustrated, the electronic device 504 can request whether the user 502 approves deputizing the signal transmit by the hardware security token 500 at other devices associated with the electronic device system.
- FIG. 5B depicts one such device, electronic device 506 .
- the electronic device 506 can implement the method depicted in either FIG. 4A or FIG. 4B such that once the user 502 has deputized the signal generated by the hardware security token 500 , the user 502 can gain authenticated access each of the devices in the electronic device system by with the user's touch, such as depicted in FIG. 5B .
- FIG. 6 depicts example operations of a method of using a security token signal as a proxy for the credentials of a previously-authenticated user.
- the method can begin at operation 600 which can detect a security token signal at a particular electronic device. Thereafter at 602 , a security database can be queried to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device. At 604 , the method may check a local database to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device. Optionally or additionally, the method can continue to operation 606 if the security token signal received at 600 is not included within a local database.
- the method may check a remote database to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device.
- the remote database may be contained on another electronic device owned and/or operated by the user. In other examples, the remote database can be managed and/or controlled by a third party. Once either or both the local and remote databases are queried, it can be determined whether permission to access the electronic device should be granted at operation 608 . In these embodiments, if it is determined that the security token signal received at 600 is deputized, the method may terminate at operation 612 by permitting access to the electronic device. Alternatively, if it is determined that security token signal received at 600 is not deputized, the method may terminate at 610 by denying access to the electronic device.
- various implementations of the method depicted in FIG. 6 may include queries to local and/or remote databases.
- the method can include queries to more than one local database.
- the method can include queries to more than one remote database.
- both local and remote databases can be queried.
- communications and/or queries between the electronic device and remote databases can be encrypted.
- FIGS. 7A-7B each depict views of independent electronic devices of an example electronic device system controlled by one user and operated by another user with a hardware security token configured for intrabody communication.
- FIG. 7A depicts an electronic device 704 implemented as a cellular phone that is operated by a user 702 in possession of a hardware security token 700 configured for intrabody communication.
- the hardware security token 700 is implemented as a finger ring.
- the electronic device 704 can request whether the user 702 approves deputizing the signal transmit by the hardware security token 700 as a security proxy at other devices associated with the electronic device system. More particularly, the electronic device 702 can request whether the user 702 would like to associate the signal transmit by the hardware security token 700 with a particular user identity and/or permission level. In such an example, the user 702 may associate the signal transmit by the hardware security token 700 with limited permissions, such as parental controls. In many embodiments, the user 702 can instruct the device 704 to propagate the user's approval to other devices associated with the electronic device system.
- FIG. 7B depicts one such device, the electronic device 706 . In one example, the electronic device 706 can implement the method depicted in either FIG.
- a second user 708 can gain authenticated access each of the devices in the electronic device system by with the second user's touch, such as depicted in FIG. 7B .
- the second user 708 may have limited access to each of the devices of the electronic device system.
- a parent can control a child's access to various electronic devices controlled by the parent by deputizing a hardware security token worn by the child for limited access to the one or more electronic devices.
- FIG. 8 depicts example operations of a method of controlling access associated with a security token signal as a proxy for the credentials of a previously-authenticated user.
- the method can begin at operation 800 in which a security token signal is received.
- the security token signal may be deputized as an identity proxy for an authorized user of a particular electronic device.
- the method can determine whether the permissions associated with the identity proxy have are valid.
- the permissions associated with the identity proxy can expire after a certain period of time has lapsed.
- a signal received from a hardware security token may serve as a valid identity proxy only for a limited period of time.
- the permissions associated with the identity proxy can expire within (or external to) certain geographic regions.
- a signal received from a hardware security token may serve as a valid identity proxy only within certain geographic regions and/or geographic fences.
- a hardware security token may serve as a valid identity proxy only when a user is at home or at work.
- the permissions associated with the identity proxy can be invalid at particular times of day.
- a signal received from a hardware security token may serve as a valid identity proxy only during the working day.
- the permissions associated with the identity proxy can be valid only if they are accompanied by another identifying action.
- a signal received from a hardware security token may serve as a valid identity proxy only when received in conjunction with a passcode, a password, biometric data, and the like.
- an identity proxy can serve as a second layer of security.
- the method can continue to operation 806 to permit access to the electronic device.
- the method can terminate at operation 808 to deny access to the electronic device.
Abstract
A hardware security token in contact with a user's body can send a signal via interbody communication to one or more electronic devices associated with a system of electronic devices having unified access controls such that a user can access each of the electronic devices using the same credentials. The signal sent by the hardware security token can be deputized by a user in possession of credentials to the system as a temporary proxy for that user's identity. In other examples, the signal sent by the portable security token can be deputized by a user in possession of credentials to the system as a temporary proxy for another user's identity. In some embodiments, the proxy can expire after a period of time or after a particular event occurs.
Description
- This application is a continuation of U.S. patent application Ser. No. 14/486,707, filed Sep. 15, 2014, the contents of which are incorporated by reference as if fully disclosed herein.
- The present disclosure relates generally to access control systems for electronic devices, and more particularly, to systems and methods for using portable security tokens as identity proxies for access control systems.
- An electronic device can include access control features to limit or prevent unauthorized access to the content or functionality of the device until a user's identity is confirmed. For example, a smartphone may require entry of a passcode before information stored on (or accessible to) the smartphone can be obtained. Once unlocked, the smartphone can re-lock after a certain timeout period has expired.
- Electronic devices that can include access control features include cellular phones, smartphones, handheld computing devices, tablet computing devices, laptop computers, desktop computers, home appliances, personal electronic accessories, automobiles, home automation and/or security systems, medical devices, health devices, sports devices, wearable devices and so on.
- However, in many cases, the frequent authentication required of an authorized user to gain access to an electronic device may become onerous. Furthermore, many users may regularly operate more than one electronic device, each requiring frequent and independent verification of a user's identity. In these examples, a user may opt to disable access control features altogether, exchanging security and privacy for convenient access.
- Accordingly, there may be a present need for an improved access control system for use with electronic devices and systems.
- Embodiments described herein may relate to, include, or take the form of a method of authorizing access to a system with a plurality of electronic devices, the method including at least the operations of receiving a modulated capacitance signal, requesting a credential associated with a user authorized to access the system (e.g., biometric information such as a fingerprint), requesting that the user authorize the modulated capacitance signal as a proxy for the credential, and upon receiving user authorization permitting access to any of the plurality of electronic devices that receives the modulated capacitance signal within a selected timeout period, and denying access to each of the plurality of electronic devices once the timeout period has expired. In other examples, access or denial of access can be correlated to geographic regions.
- In many examples, modulated capacitance signals can originate from a portable authentication token in contact with the user's body. For example, the token can be a ring worn on a user's finger, a band worn on a user's limb, a capsule ingested by a user, or an electronic device implanted within the user's body.
- In many examples, the modulated capacitance signal can take the form of a digital code, such as a universally unique identifier (“UUID”). In other examples, the modulated capacitance signal can take the form of the output of a one-way function, such as a hash function. In other examples, the modulated capacitance signal can take the form of the output of an asymmetric key generation algorithm. In still further examples, the modulated capacitance signal can take the form of a rolling code.
- Some embodiments described herein may relate to a method of authorizing access to an electronic device, the method including at least the operations of receiving a modulated capacitance signal, determining whether the modulated capacitance signal may be authorized as a proxy for a credential associated with an operating user authorized to access the electronic device, and upon determining that the modulated capacitance signal may be authorized, permitting access to the electronic device associated with the operating user.
- Still further embodiments described herein may relate to, include, or take the form of a method of obtaining authorized access to a secure electronic device associated with a system of electronic devices, the method including at least the operations of sending a modulated capacitance signal corresponding to a unique identifier to an enrollment device, receiving a request from the enrollment device to provide a biometric credential associated with an authorized user of the system, providing the biometric credential, receiving a request from the secure electronic device to authorize the unique identifier as a proxy as a proxy for the biometric credential, and sending the modulated capacitance signal to the secure electronic device to obtain access to the secure electronic device.
- Reference will now be made to representative embodiments illustrated in the accompanying figures. It should be understood that the following descriptions are not intended to limit the disclosure to one preferred embodiment. To the contrary, each is intended to cover alternatives, modifications, and equivalents as may be included within the spirit and scope of the described embodiments as defined by the appended claims.
-
FIG. 1 depicts a front view of an example electronic device operated by a user with a hardware security token. -
FIG. 2 depicts a simplified signal flow diagram of an access control system for use with an electronic device. -
FIG. 3 depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. -
FIG. 4A depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. -
FIG. 4B depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. -
FIG. 5A depicts a front view of an example electronic device system operated by a user with a hardware security token. -
FIG. 5B depicts a front view of an electronic device associated with the system ofFIG. 5A , permitting access by accepting a security token signal as a proxy for the credentials of a previously-authenticated user. -
FIG. 6 depicts example operations of a method of using a security token signal as a proxy for the credentials of a previously-authenticated user. -
FIG. 7A depicts a front view of another example electronic device system operated by a user with a hardware security token. -
FIG. 7B depicts a front view of an electronic device associated with the system ofFIG. 7A , permitting limited access by accepting a security token signal as a proxy for the credentials of a previously-authenticated limited-access user. -
FIG. 8 depicts example operations of a method of controlling access associated with a security token signal as a proxy for the credentials of a previously-authenticated user. - The use of the same or similar reference numerals in different drawings indicates similar, related, or identical items where appropriate.
- Generally, embodiments may permit a user to access, control, and otherwise interact with electronic devices and/or systems. A token may be carried by or associated with a user. So long as the user maintains the association with the token, the user can interact with the electronic device. The token may permit device access for a set period or indefinitely, and may replace or augment a password or other security measure. In some embodiments, the user's natural body capacitance may modulate a signal between the token and the device, thereby inherently limiting the reach of the token's authority and thus enhancing security.
- Embodiments described herein relate to access control for electronic devices and systems. In many embodiments, a user may have authorization to access the content and features of an electronic device. The electronic device may provide an access control feature such as a passcode or password as a challenge to the user to prove or confirm the user's identity. After the user provides the correct passcode, the electronic device can permit access to the content or features of the electronic device. In other words, an unknown user is identified as an authorized user when the electronic device receives a recognized passcode.
- In one embodiment, an authorized user of an electronic device can deputize a proxy that may identify the user to the electronic device. As one example, the user may select a unique signal or code, sent in one example from a hardware security token, as a proxy for that user's identity.
- For example, a hardware security token, such as a keyfob, can generate a unique signal that can be detected by an electronic device. When a user in possession of the keyfob comes into proximity of the electronic device, the electronic device can detect the unique signal (“proxy signal”). Upon detecting the proxy signal, the electronic device can consider the identity of the user to be confirmed, and, accordingly, permit access to the content and features of the electronic device without requiring entry of the passcode or password.
- In some examples, a hardware security token can transmit the proxy signal wirelessly. In one embodiment, the hardware security token can transmit over standardized protocols such as, but not necessarily limited to, Near Field Communication, Wi-Fi or Bluetooth. In other examples, other wireless protocols can be used. In one embodiment, the transmit strength of the hardware security token may be intentionally limited so as to define a radius beyond which the proxy signal cannot be detected by the electronic device.
- In another embodiment, the hardware security token can transmit the proxy signal via frequency and/or amplitude modulated light. In one embodiment, the hardware security token can transmit an infrared signal. In some embodiments, other frequency bands may be used. In some examples, the maximum brightness output by the hardware security token can be intentionally limited.
- In still further embodiments, the hardware security token can transmit the proxy signal through a user's body via intrabody communication (“intrabody security token”). In one example, the intrabody security token can transmit the signal by modulating the body capacitance of the user.
- In some embodiments, a single proxy signal can be output by more than one hardware security tokens. In other words, a user may deputize a single proxy signal as an identity proxy for a particular electronic device, but that user may obtain multiple hardware security tokens and may configure each token to output the same proxy signal.
- In certain embodiments, multiple proxy signals can be used as identity proxies for the same user.
- In some embodiments, a single proxy signal (or a single hardware security token) can be deputized by a user as an identity proxy for a system of electronic devices owned and/or managed by the user. For example, a user may have a cellular telephone, a tablet computer, a laptop computer, a desktop computer, and a vehicle. Each of these electronic devices may be connected to a central account associated with the user. The central account can be managed by the user, a third party, as a mesh network between each of the devices, and so on. In arrangements lacking embodiments described herein, a user may be required to recall and enter six separate passcodes and/or passwords to access each of the six electronic devices. However, with certain embodiments described herein, the user can deputize a signal (and/or hardware security token) as a proxy for the central account associated with each device. Thus, when each respective device detects, measures, or otherwise obtains the proxy signal, each device can consider the user to be appropriately identified.
- Continuing the example, the user described above can deputize an intrabody security token. As a result, when the user grasps her cellular phone, the cellular phone can detect the proxy signal from the intrabody security token and, in response, can automatically unlock. When the user next reaches for her tablet, the tablet can automatically unlock despite the fact that the tablet and the cellular phone can be secured with different passcodes or passwords. Similarly, when the user approaches the driver's side door of her vehicle and grasps the handle or latch, the vehicle can unlock.
-
FIG. 1 depicts a front view of an example electronic device operated by a user in conjunction with a hardware security token that the user may keep with her at all times. - As illustrated, the
user 102 may attach thehardware security token 100 to herself. Thehardware security token 100 can be attached via a band or strap to the users' wrist. In other examples, different means of keeping thehardware security token 100 in the user's possession can be used. For example, thehardware security token 100 can be kept by the user in a pocket or on a keychain. In other examples, thehardware security token 100 can be kept in a wallet or purse. In still further examples, thehardware security token 100 may be worn as an accessory such as a bracelet, necklace, earring, anklet, earpiece, and so on. - In many embodiments, a hardware security token may be configured to generate a unique signal or code that can be detected by an
electronic device 104. In many examples, the unique signal or code can take the form of a digital code, such as a UUID. In some embodiments, the unique signal or code can take the form of the digest of a one-way function, such as a cryptographic hash function (e.g., MD5, SHA3, and so on). In other examples, the unique signal or code can take the form of the output of an asymmetric key generation algorithm. In still further examples, the unique signal or code can take the form of a rolling code. - For many embodiments described herein, the
user 102 can deputize thehardware security token 100 as a proxy for the user's identity known to theelectronic device 104. As one example, in one embodiment, theelectronic device 104 can detect the presence of ahardware security token 100 by monitoring for the unique code or signal output from thehardware security token 100. - Once detected, the
electronic device 104 can request can request permission from theuser 102 to deputize thehardware security token 100. For example, theelectronic device 104 can request theuser 102's permission by showing aconfirmation dialog 108 on adisplay 106. A user can interact with theconfirmation dialog 108 to authorize thehardware security token 100. Thereafter, thehardware security token 100 can be considered by theelectronic device 104 as an identity proxy for theuser 102. In other examples, the electronic device can request the user enter a particular authorization code. In another example, the electronic device can request the user enter a hardware code associated with the hardware security token (e.g., model number, serial number, and so on). In other examples, thehardware security token 100 can be deputized automatically or by any other process. - Accordingly, the unique code or signal is generally referred to herein as a “proxy signal.”
- In one embodiment, the
hardware security token 100 can transmit the proxy signal wirelessly. For example, thehardware security token 100 can transmit over standardized protocols such as, but not necessarily limited to, Near Field Communication, Wi-Fi or Bluetooth. In other examples, other wireless protocols (including proprietary protocols) can be used. In these examples, thehardware security token 100 may include a processor, a memory for storing instructions executed by the processor, a battery or other power source, and one or more wireless communication modules. In many cases, the processor can execute instructions stored in the memory in order to generate the proxy signal. The processor can direct the proxy signal to the wireless communication module for transmission. - In some examples, the transmit strength of the wireless communication module of the
hardware security token 100 may be intentionally limited so as to define a radius beyond which the proxy signal cannot be readily detected. In many cases, the transmit strength can be determined by the processor of thehardware security token 100. In other examples, the transmit strength can be physically limited by selecting specific geometry for an antenna associated with the wireless transmit module. In still further embodiments, the transmit strength can be dynamically variable by the processor of thehardware security token 100, or may be selectable by theuser 102. - In another embodiment, the
hardware security token 100 can transmit the proxy signal via frequency and/or amplitude modulated light. In one embodiment, thehardware security token 100 can transmit over infrared. In such examples, thehardware security token 100 may include an infrared light emitting diode. In some embodiments, other frequency bands of light may be used. For example, thehardware security token 100 may transmit the proxy signal with visible light. As with some embodiments described herein, the maximum brightness output by thehardware security token 100 can be intentionally limited so as to define a maximum transmit radius. - In still further examples, the
hardware security token 100 can transmit the proxy signal through a body ofuser 102 via intrabody communication. As with other embodiments described herein, intrabody communication can be intentionally limited and/or attenuated so as to define a distance from the user's body beyond which the proxy signal cannot be readily detected. For example, in certain embodiments, modulation of the body capacitance of the user can be detectable only on a user's touch. In another example, modulation of the body capacitance of the user can be detectable only within a few centimeters of the user's skin. - In these embodiments, a hardware security token configured for intrabody communication is generally referred to herein as an “intrabody security token.”
- In one example, the
intrabody security token 100 can transmit the proxy signal by modulating the body capacitance of theuser 102. As one example, theintrabody security token 100 may augment the capacitance of the user's body with respect to ground so as to produce a modulated electrical signal measurable by theelectronic device 104 once theuser 102 touches theelectronic device 104. - More generally, the
intrabody security token 100 can produce a proxy signal that is detectable only when theuser 102 touches, or is in very close physical proximity, to theelectronic device 104. Although a modulated capacitance signal may be described with respect to many embodiments herein, other intrabody communication techniques can be used. For example, ultrasonic signaling, galvanic coupling, intrabody optical transmission, and so on. - As noted above, the
intrabody security token 100 can be worn by a user. For example, as illustrated, theintrabody security token 100 can be formed as or included within a band worn on the user's limb. In another example, theintrabody security token 100 can be included within an accessory meant to be worn on a user's finger, toe, ear, or other body part. In another example theintrabody security token 100 can be partially or fully implanted within a user, such as by piercing through a portion of the user's skin and/or being surgically implanted. In another example, theintrabody security token 100 can be formed into the user's skin via a tattooing process. In such examples, theintrabody security token 100 may be in part formed from conductive ink. In still further examples, theintrabody security token 100 can be applied to the user's skin via an adhesive. - In still further examples, the
intrabody security token 100 can be temporarily or permanently utilized while it is within a user's body. For example, theintrabody security token 100 may be formed on or within a user's tooth. In another example, theintrabody security token 100 can be included within a capsule or pill ingested by the user. In still further examples, theintrabody security token 100 can be included within a medical accessory or device configured to be worn or otherwise attached to a user such as an insulin pump, a defibrillator, an artificial joint, an embedded structure or device, a radiation or medication delivery device, an artificial limbs or appendage, a diagnostic device, and so on. -
FIG. 2 depicts a simplified signal flow diagram of an access control system for use with an electronic device. Similar to embodiments described above, ahardware security token 200 may be in communication with anelectronic device 204. In some embodiments, thehardware security token 200 can be capacitively coupled to theelectronic device 204 via acapacitive interface 202. In some intrabody communication embodiments, thecapacitive interface 202 can be the user's body capacitance that augmented or controlled by thehardware security token 200. In some embodiments, other means of communication between thehardware security token 200 and theelectronic device 204 can be used. - The
electronic device 204 can have aprocessor 206 that is operably associated with amemory 208, a biometric sensor 210 (e.g., fingerprint sensor), an input/output device 212, and adisplay 214. In many embodiments, theprocessor 206 can be configured to execute one or more instructions stored in thememory 208 to perform or coordinate one or more functions or features of theelectronic device 204. In some embodiments additional or fewer components can be implemented within anelectronic device 204. For example, certainelectronic devices 204 may not necessarily include abiometric sensor 210. - The
electronic device 204 can receive a proxy signal from thehardware security token 200 through asensing unit 214. Thesensing unit 214 can vary from embodiment to embodiment, depending upon the type of proxy signal expected from a particularhardware security token 200. For example, if ahardware security token 200 is configured for intrabody communication via modulating capacitance, thesensing unit 214 may be configured to monitor for changes in capacitance. In another embodiment, if ahardware security token 200 is configured for intrabody communication via Wi-Fi, thesensing unit 214 may be configured to monitor a Wi-Fi frequency band. -
FIG. 3 depicts example operations of a method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. The method can begin atoperation 300 at which a hardware security token signal can be detected. In many embodiments, the signal can be detected by an electronic device. For example, a laptop computer can incorporate a sensing unit that is configured to measure, detect, or receive a hardware security token signal. - After the signal is detected, the method can continue to
operation 302 to query whether the signal should be deputized as an identity proxy for previously-authenticated user. As withoperation 300,operation 302 can be performed by an electronic device. In many embodiments, the electronic device may simply request permission from a user to deputize the signal as a proxy for that user's identity. In one example, the electronic device can display a message on a screen of the device requesting such permission (see, e.g.,FIG. 1 ). - In some embodiments, the electronic device may request a user's password or passcode before the electronic device accepts the signal as a proxy for that user's identity. In further embodiments, the electronic device may request that the user provide biometric confirmation. For example, before the electronic device considers the signal as an identity proxy for the user, the electronic device can request the user authenticate the user's identity by proving a fingerprint.
- If the electronic device receives permission from the user at
operation 304 to deputize the detected hardware security token signal as an identity proxy for the user, the method can continue tooperation 306 at which the association between the hardware security token signal and the user's identity can be saved. Otherwise, the method can continue fromoperation 304 tooperation 308 at which the detected hardware security token signal is disregarded and/or ignored. - As noted above, the method depicted in
FIG. 3 can be implemented on an electronic device that a particular user is authorized to access. For example, in certain embodiments, a cellular telephone can implement the method depicted inFIG. 3 . In such an example, a user of the cellular phone can have a passcode to access the cellular phone. Once the user enters the passcode, the user has provided evidence to the cellular phone of the user's identity and the cellular phone can unlock in response. In these embodiments, the user can have a hardware security token that outputs a particular unique signal. Once the cellular phone is unlocked and receives the unique signal, the cellular phone can ask the user whether the unique signal should be deputized as an identity proxy for the user. The user can approve the cellular phone's request by providing a fingerprint (in one example) to confirm the user's identity and approval. Thus, when the cellular phone next detects the proxy signal, the cellular phone can unlock without requiring the passcode. -
FIG. 4A depicts example operations of another method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. The method can begin atoperation 400 which can receive a notification to monitor (“monitoring signal”) for a new security token signal for a selected period of time. Theoperation 400 can be performed, in some embodiments, by an electronic device. For example, in certain embodiments, an electronic device can receive the monitoring signal over Wi-Fi or Bluetooth. In another embodiment, the electronic device can receive the monitoring signal via a request from a remote system over the Internet. For example, some electronic device can be connected, via the Internet, to one or more notification services (e.g., push notifications, email notifications, account notifications, and so on). - Once the monitor notification is received, the method can continue to
operation 402 at which a security token signal can be received. Thereafter at 404, the received signal can be compared to the new security token signal, and, if the signals match, the method can conclude atoperation 406, in which the received signal is deputized as an identity proxy for the currently active user. - In some examples, an identity proxy can be passed from user to user to access the same device. For example, a parent can deputize a security token formed as a finger ring and configured to transmit the proxy signal via intrabody communication. As with other embodiments described herein, the parent may access each of the parent's electronic devices (e.g., cell phone, tablet computer, and so on). If the parent removes the ring and give the ring to a child, the child can access the parent's electronic devices without separate permissions from the parent.
- In another example, an on-duty security guard may wear a wrist band configured to transmit the proxy signal via intrabody communication. For example, the security guard can access secure areas within a building by touching an input panel configured to control access to the secure area. When the security guard's shift is over, the security guard can pass the wrist band to the next security guard on duty.
- In some examples, a security token may be lost or stolen. In such cases, a user can revoke the privileges associated with the lost or stolen security token so that the lost or stolen token cannot be used to access the user's devices.
- As noted above, the method depicted in
FIG. 4 can be implemented on an electronic device that a particular user is authorized to access. For example, in certain embodiments, a laptop computer can implement the method depicted inFIG. 4A . In such an example, a user of the laptop computer can have a password to access the cellular phone. Once the user enters the password, the user has provided evidence to the laptops of the user's identity and the laptop can unlock in response. In these embodiments, the laptop computer can receive a signal from another device (e.g., cellular telephone example as described with respect toFIG. 3 ) to monitor for a signal from a hardware security token. Once the laptop receives the signal, the laptop can deputize the signal as an identity proxy for the active user of the laptop. - As one non-limiting example, a user can be possession of a hardware security token configured for intrabody communication as described with respect to
FIG. 1 , a cellular phone configured to perform the method depicted inFIG. 3 , and a laptop configured to perform the method depicted inFIG. 4A . In this example, the user can grasp her cellular phone, which can after detecting the hardware security token signal, can automatically request to deputize it an identity proxy for the user. The cellular phone can then send a signal to laptop to deputize the signal for the same user. Thereafter, the user can touch the laptop in order to deputize the signal as the user's identity proxy thereon. - In this manner, deputizing the signal as an identity proxy for use with the cellular phone may be a two-step process for the user, whereas deputizing the signal as an identity proxy for use with the laptop may be a one-step process.
-
FIG. 4B depicts example operations of yet another method of deputizing a hardware security token as an identity proxy for a previously-authenticated user. The method can begin atoperation 408, which can receive a notification to deputize a hardware security token signal as an identity proxy for a particular selected user. The instruction can be completed atoperation 410. - As with the method depicted in
FIG. 4A , the method depicted inFIG. 4B can be implemented on an electronic device that a particular user is authorized to access. To continue the examples describes above, in certain embodiments, a laptop computer can implement the method depicted inFIG. 4B , and can be in communication with a cellular phone that can implement the method depicted inFIG. 3 . Once the cellular phone receives permission from the user to deputize the hardware security token as an identity proxy for use with the cellular phone, the cellular phone can then send a signal to laptop to deputize the signal for the same user. - In this manner, deputizing the signal as an identity proxy for use with the cellular phone may be a two-step process for the user, whereas deputizing the signal as an identity proxy for use with the laptop may occur automatically.
- In many embodiments, the method depicted in
FIG. 4B can be implemented by a plurality of electronic devices each associated with a single electronic device system. For example, continuing the example above, once the cellular phone receives permission from the user to deputize the hardware security token as an identity proxy for use with the cellular phone, the cellular phone can then send a signal to a plurality of electronic devices to deputize the signal for the same user. More particularly, each device associated with the electronic device system can receive a signal to deputize the same hardware security device token signal as an identity proxy for the same user. -
FIGS. 5A-5B each depict a front view of independent electronic devices of an example electronic device system operated by a user with a hardware security token configured for intrabody communication. - For example,
FIG. 5A depicts anelectronic device 504 implemented as a cellular phone that is operated by auser 502 in possession of ahardware security token 500. In some embodiments, theelectronic device 504 can implement the method depicted inFIG. 3 As illustrated, theelectronic device 504 can request whether theuser 502 approves deputizing the signal transmit by thehardware security token 500 at other devices associated with the electronic device system.FIG. 5B depicts one such device,electronic device 506. Theelectronic device 506 can implement the method depicted in eitherFIG. 4A orFIG. 4B such that once theuser 502 has deputized the signal generated by thehardware security token 500, theuser 502 can gain authenticated access each of the devices in the electronic device system by with the user's touch, such as depicted inFIG. 5B . -
FIG. 6 depicts example operations of a method of using a security token signal as a proxy for the credentials of a previously-authenticated user. The method can begin atoperation 600 which can detect a security token signal at a particular electronic device. Thereafter at 602, a security database can be queried to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device. At 604, the method may check a local database to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device. Optionally or additionally, the method can continue tooperation 606 if the security token signal received at 600 is not included within a local database. Atoperation 606, the method may check a remote database to determine whether the security token signal received at 600 is deputized as a proxy for any one of the users authorized to access the electronic device. In some examples, the remote database may be contained on another electronic device owned and/or operated by the user. In other examples, the remote database can be managed and/or controlled by a third party. Once either or both the local and remote databases are queried, it can be determined whether permission to access the electronic device should be granted atoperation 608. In these embodiments, if it is determined that the security token signal received at 600 is deputized, the method may terminate atoperation 612 by permitting access to the electronic device. Alternatively, if it is determined that security token signal received at 600 is not deputized, the method may terminate at 610 by denying access to the electronic device. - As noted above, various implementations of the method depicted in
FIG. 6 may include queries to local and/or remote databases. For example, in some embodiments, the method can include queries to more than one local database. In other examples, the method can include queries to more than one remote database. In still further examples, both local and remote databases can be queried. - In many embodiments, communications and/or queries between the electronic device and remote databases can be encrypted.
-
FIGS. 7A-7B each depict views of independent electronic devices of an example electronic device system controlled by one user and operated by another user with a hardware security token configured for intrabody communication. - For example,
FIG. 7A depicts anelectronic device 704 implemented as a cellular phone that is operated by auser 702 in possession of ahardware security token 700 configured for intrabody communication. In the illustrated embodiment, thehardware security token 700 is implemented as a finger ring. - As illustrated, the
electronic device 704 can request whether theuser 702 approves deputizing the signal transmit by thehardware security token 700 as a security proxy at other devices associated with the electronic device system. More particularly, theelectronic device 702 can request whether theuser 702 would like to associate the signal transmit by thehardware security token 700 with a particular user identity and/or permission level. In such an example, theuser 702 may associate the signal transmit by thehardware security token 700 with limited permissions, such as parental controls. In many embodiments, theuser 702 can instruct thedevice 704 to propagate the user's approval to other devices associated with the electronic device system.FIG. 7B depicts one such device, theelectronic device 706. In one example, theelectronic device 706 can implement the method depicted in eitherFIG. 4B such that once theuser 702 has deputized the signal generated by thehardware security token 700, asecond user 708 can gain authenticated access each of the devices in the electronic device system by with the second user's touch, such as depicted inFIG. 7B . In these embodiments, thesecond user 708 may have limited access to each of the devices of the electronic device system. - In one non-limiting example that can correspond to
FIGS. 7A-7B , in some embodiments a parent can control a child's access to various electronic devices controlled by the parent by deputizing a hardware security token worn by the child for limited access to the one or more electronic devices. -
FIG. 8 depicts example operations of a method of controlling access associated with a security token signal as a proxy for the credentials of a previously-authenticated user. The method can begin atoperation 800 in which a security token signal is received. The security token signal may be deputized as an identity proxy for an authorized user of a particular electronic device. Thereafter, at 804, the method can determine whether the permissions associated with the identity proxy have are valid. - For example, in one embodiment, the permissions associated with the identity proxy can expire after a certain period of time has lapsed. As one example, a signal received from a hardware security token may serve as a valid identity proxy only for a limited period of time.
- In another embodiment the permissions associated with the identity proxy can expire within (or external to) certain geographic regions. As one example, a signal received from a hardware security token may serve as a valid identity proxy only within certain geographic regions and/or geographic fences. For one example, a hardware security token may serve as a valid identity proxy only when a user is at home or at work.
- In other examples, the permissions associated with the identity proxy can be invalid at particular times of day. As one example, a signal received from a hardware security token may serve as a valid identity proxy only during the working day.
- In other examples, the permissions associated with the identity proxy can be valid only if they are accompanied by another identifying action. As one example, a signal received from a hardware security token may serve as a valid identity proxy only when received in conjunction with a passcode, a password, biometric data, and the like. In these embodiments, an identity proxy can serve as a second layer of security.
- If the permissions associated with the identity proxy are determined to be valid, the method can continue to
operation 806 to permit access to the electronic device. Alternatively, of the permissions associated with the identity proxy are determined to be invalid, the method can terminate at operation 808 to deny access to the electronic device. - Many embodiments of the foregoing disclosure may include or may be described in relation to various methods of operation, use, manufacture, and so on. Notably, the operations of methods presented herein are meant only to be exemplary and, accordingly, are not necessarily exhaustive. For example an alternate operation order, or fewer or additional steps may be required or desired for particular embodiments.
- The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the described embodiments. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the described embodiments. Thus, the foregoing descriptions of the specific embodiments described herein are presented for purposes of illustration and description. They are not meant to be exhaustive or to limit the embodiments to the precise forms disclosed. It will be apparent to one of ordinary skill in the art that many modifications and variations are possible in view of the above teachings. In particular, any features described with respect to one embodiment may also be used in some embodiments, where compatible. Likewise, the features of the different embodiments may be exchanged, substituted, or omitted where compatible and appropriate.
Claims (20)
1. A method of authenticating a user of an electronic device, comprising:
receiving a modulated signal through a body of the user of the electronic device;
determining whether the modulated signal is deputized as an identity proxy of an authorized user of the electronic device; and
denying the user access to a feature of the electronic device unless the modulated signal is deputized as an identity proxy of an authorized user of the electronic device.
2. The method of claim 1 , further comprising:
identifying a set of valid permissions associated with the identity proxy; and
limiting access to the electronic device, by the user, to the set of valid permissions.
3. The method of claim 2 , wherein identifying the set of valid permissions comprises:
identifying a period of time for which a permission associated with the identity proxy is valid; and
identifying the permission as a valid permission when a current time is within the period of time.
4. The method of claim 2 , wherein identifying the set of valid permissions comprises:
identifying a first geographic region in which a permission associated with the identity proxy is valid;
determining a second geographic region in which the modulated signal is received by the electronic device; and
identifying the permission as a valid permission when the second geographic region is within the first geographic region.
5. The method of claim 1 , further comprising:
requiring an identifier from the user of the electronic device;
receiving the identifier from the user of the electronic device;
determining whether the identifier identifies an authorized user of the electronic device; and
denying the user access to the feature of the electronic device unless the identifier identifies an authorized user of the electronic device.
6. The method of claim 1 , wherein the electronic device is a home appliance.
7. The method of claim 1 , wherein the identity proxy comprises a proxy for a credential of the authorized user.
8. An electronic device, comprising:
a capacitive interface configured to capacitively couple to a body of a user and receive a modulated signal through the body of the user;
a processor configured to:
determine whether the modulated signal is deputized as an identity proxy of an authorized user of the electronic device; and
deny the user access to a feature of the electronic device unless the modulated signal is deputized as an identity proxy of an authorized user of the electronic device.
9. The electronic device of claim 8 , wherein the processor is further configured to:
identify a set of valid permissions associated with the identity proxy; and
limit access to the electronic device, by the user, to the set of valid permissions.
10. The electronic device of claim 9 , wherein the processor is configured to identify the set of valid permissions by:
identifying a period of time for which a permission associated with the identity proxy is valid; and
identifying the permission as a valid permission when a current time is within the period of time.
11. The electronic device of claim 9 , wherein the processor is configured to identify the set of valid permissions by:
identifying a first geographic region in which a permission associated with the identity proxy is valid;
determining a second geographic region in which the modulated signal is received by the electronic device; and
identifying the permission as a valid permission when the second geographic region is within the first geographic region.
12. The electronic device of claim 8 , wherein the processor is further configured to:
require an identifier from the user of the electronic device;
receive the identifier from the user of the electronic device;
determine whether the identifier identifies an authorized user of the electronic device; and
deny the user access to the feature of the electronic device unless the identifier identifies an authorized user of the electronic device.
13. The electronic device of claim 8 , wherein the electronic device is a home appliance.
14. The electronic device of claim 8 , wherein the identity proxy comprises a proxy for a credential of the authorized user.
15. A method of authorizing a user to access an electronic device, the method comprising:
receiving a modulated signal at the electronic device, the modulated signal received from an authentication token and via a capacitive interface defined between the authentication token in contact with a body of the user and through a portion of the body of the user that is in contact with the electronic device;
requesting from the user, by the electronic device, a credential associated with authorized access to the electronic device; and
deputizing the modulated signal as a proxy for the credential.
16. The method of claim 15 , further comprising:
permitting access to the electronic device upon receiving the modulated signal at the electronic device via the capacitive interface.
17. The method of claim 15 , wherein the credential comprises biometric information associated with the user.
18. The method of claim 15 , wherein the modulated signal is deputized for a timeout period.
19. The method of claim 18 , wherein a selection of the timeout period is received from the user.
20. The method of claim 15 , wherein the modulated signal comprises a rolling code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/378,306 US20190236257A1 (en) | 2014-09-15 | 2019-04-08 | Identity Proxy for Access Control Systems |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/486,707 US10255422B1 (en) | 2014-09-15 | 2014-09-15 | Identity proxy for access control systems |
US16/378,306 US20190236257A1 (en) | 2014-09-15 | 2019-04-08 | Identity Proxy for Access Control Systems |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/486,707 Continuation US10255422B1 (en) | 2014-09-15 | 2014-09-15 | Identity proxy for access control systems |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190236257A1 true US20190236257A1 (en) | 2019-08-01 |
Family
ID=65998281
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/486,707 Active US10255422B1 (en) | 2014-09-15 | 2014-09-15 | Identity proxy for access control systems |
US16/378,306 Abandoned US20190236257A1 (en) | 2014-09-15 | 2019-04-08 | Identity Proxy for Access Control Systems |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/486,707 Active US10255422B1 (en) | 2014-09-15 | 2014-09-15 | Identity proxy for access control systems |
Country Status (1)
Country | Link |
---|---|
US (2) | US10255422B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11588804B2 (en) | 2018-12-28 | 2023-02-21 | Apple Inc. | Providing verified claims of user identity |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180300467A1 (en) * | 2015-06-29 | 2018-10-18 | Intel Corporation | Pairing a user with a wearable computing device |
US10983753B2 (en) * | 2017-06-09 | 2021-04-20 | International Business Machines Corporation | Cognitive and interactive sensor based smart home solution |
US10659597B2 (en) * | 2018-09-27 | 2020-05-19 | International Business Machines Corporation | Limiting computing device functionality using capacitive coupling through a human body |
US11489844B2 (en) * | 2020-04-17 | 2022-11-01 | Twistlock Ltd. | On-the-fly creation of transient least privileged roles for serverless functions |
DE102020124909A1 (en) * | 2020-09-24 | 2022-03-24 | Endress+Hauser Conducta Gmbh+Co. Kg | Method of obtaining emergency device access to field devices |
Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040064728A1 (en) * | 2002-09-30 | 2004-04-01 | Scheurich Christoph E. | Personal authentication method and apparatus sensing user vicinity |
US20060136717A1 (en) * | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
US20070255951A1 (en) * | 2005-11-21 | 2007-11-01 | Amiram Grynberg | Token Based Multi-protocol Authentication System and Methods |
US20090305742A1 (en) * | 2008-06-05 | 2009-12-10 | Ruben Caballero | Electronic device with proximity-based radio power control |
US20100113950A1 (en) * | 2008-11-05 | 2010-05-06 | Apple Inc. | Seamlessly Embedded Heart Rate Monitor |
US20100185055A1 (en) * | 2007-02-01 | 2010-07-22 | Timothy Robertson | Ingestible event marker systems |
US20100218249A1 (en) * | 2009-02-25 | 2010-08-26 | Microsoft Corporation | Authentication via a device |
US20110043328A1 (en) * | 2007-01-29 | 2011-02-24 | Fred Bassali | Advanced Vehicular Universal Transmitter Using Time Domain With Vehicle Location Loggin System |
US20110083016A1 (en) * | 2009-10-06 | 2011-04-07 | Validity Sensors, Inc. | Secure User Authentication Using Biometric Information |
US20110231012A1 (en) * | 2010-03-16 | 2011-09-22 | Sara Sprague | Apparatus, system and method for accurate dispensing of prescription medications |
US20120016793A1 (en) * | 2006-07-11 | 2012-01-19 | Jo-Ann Peters | Wearable Contactless Payment Devices |
US20130097682A1 (en) * | 2011-10-13 | 2013-04-18 | Ilija Zeljkovic | Authentication Techniques Utilizing a Computing Device |
US20130203345A1 (en) * | 2005-12-31 | 2013-08-08 | Blaze Mobile | Wireless Bidirectional Communications between a Mobile Device and Associated Secure Element using Inaudible Sound Waves |
US20130218022A1 (en) * | 2012-02-17 | 2013-08-22 | Honeywell International Inc. | Personal Protective Equipment with Integrated Physiological Monitoring |
US20130238119A1 (en) * | 2010-03-16 | 2013-09-12 | Jireh Health, Llc | Apparatus, system, and method for accurate dispensing of prescription medications |
US20140009262A1 (en) * | 2008-12-15 | 2014-01-09 | Proteus Digital Health, Inc. | Personal authentication apparatus system and method |
US20140031011A1 (en) * | 2012-07-30 | 2014-01-30 | Ncr Corporation | Location aware authentication techniques |
US20140149746A1 (en) * | 2012-11-28 | 2014-05-29 | Arnold Yau | Method and system of providing authentication of user access to a computer resource on a mobile device |
US20140282877A1 (en) * | 2013-03-13 | 2014-09-18 | Lookout, Inc. | System and method for changing security behavior of a device based on proximity to another device |
US8843997B1 (en) * | 2009-01-02 | 2014-09-23 | Resilient Network Systems, Inc. | Resilient trust network services |
US20140310786A1 (en) * | 2013-04-16 | 2014-10-16 | Imageware Systems, Inc. | Integrated interactive messaging and biometric enrollment, verification, and identification system |
US20140368222A1 (en) * | 2013-06-12 | 2014-12-18 | Microchip Technology Incorporated | Capacitive Proximity Detection Using Delta-Sigma Conversion |
US20150028996A1 (en) * | 2013-07-25 | 2015-01-29 | Bionym Inc. | Preauthorized wearable biometric device, system and method for use thereof |
US20150257004A1 (en) * | 2014-03-07 | 2015-09-10 | Cellco Partnership D/B/A Verizon Wireless | Symbiotic biometric security |
US20150271156A1 (en) * | 2014-03-21 | 2015-09-24 | Venafi, Inc. | Geo-Fencing Cryptographic Key Material |
US20150304292A1 (en) * | 2012-10-24 | 2015-10-22 | Cyber-Ark Software Ltd. | A system and method for secure proxy-based authentication |
US9355231B2 (en) * | 2012-12-05 | 2016-05-31 | Telesign Corporation | Frictionless multi-factor authentication system and method |
US9374655B1 (en) * | 2012-06-18 | 2016-06-21 | Amazon Technologies, Inc. | Managing a transmission power level |
Family Cites Families (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4637022A (en) | 1984-12-21 | 1987-01-13 | Motorola, Inc. | Internally register-modelled, serially-bussed radio system |
WO1993004425A1 (en) | 1991-08-13 | 1993-03-04 | Universal Photonix, Inc. | System for remotely validating the identity of indivuals and determining their locations |
JP4074661B2 (en) | 1995-05-08 | 2008-04-09 | マサチューセッツ・インスティテュート・オブ・テクノロジー | Non-contact detection and signal system using human body as signal transmission medium |
US5796827A (en) | 1996-11-14 | 1998-08-18 | International Business Machines Corporation | System and method for near-field human-body coupling for encrypted communication with identification cards |
US6104913A (en) | 1998-03-11 | 2000-08-15 | Bell Atlantic Network Services, Inc. | Personal area network for personal telephone services |
US6664792B1 (en) | 1998-09-29 | 2003-12-16 | Intel Corporation | Method and apparatus for battery power pre-check at system power-on |
US7206423B1 (en) | 2000-05-10 | 2007-04-17 | Board Of Trustees Of University Of Illinois | Intrabody communication for a hearing aid |
US7536557B2 (en) | 2001-03-22 | 2009-05-19 | Ensign Holdings | Method for biometric authentication through layering biometric traits |
US6422911B1 (en) | 2001-02-22 | 2002-07-23 | Mattel, Inc. | Toy device using through-the-body communication |
FR2828962B1 (en) | 2001-08-27 | 2003-12-19 | Cit Alcatel | ELECTRICAL ENERGY REGULATION DEVICE FOR SUPPLY BUS |
US20030134591A1 (en) | 2002-01-17 | 2003-07-17 | Roberts Mark Gary | Digital remote signaling system |
US7512448B2 (en) | 2003-01-10 | 2009-03-31 | Phonak Ag | Electrode placement for wireless intrabody communication between components of a hearing system |
US7945064B2 (en) | 2003-04-09 | 2011-05-17 | Board Of Trustees Of The University Of Illinois | Intrabody communication with ultrasound |
US7966511B2 (en) | 2004-07-27 | 2011-06-21 | Intel Corporation | Power management coordination in multi-core processors |
DE102004050071A1 (en) | 2004-10-13 | 2006-04-27 | Daimlerchrysler Ag | Mobile identification sensor detecting device for vehicle, has two inner identification receivers arranged in neck rest of vehicle front seats, where signal coupling is formed between sensor and receivers as capacitive coupling |
US7577459B2 (en) | 2005-05-11 | 2009-08-18 | Nokia Corporation | Establishing a communication link |
JP4741292B2 (en) | 2005-06-09 | 2011-08-03 | 株式会社日立製作所 | Device management system |
US7443759B1 (en) | 2006-04-30 | 2008-10-28 | Sun Microsystems, Inc. | Reduced-power memory with per-sector ground control |
US9362976B2 (en) | 2006-04-26 | 2016-06-07 | Zih Corp. | Wireless local area network system and receiver adapted for use thereof and associated method |
US7777719B2 (en) | 2007-01-19 | 2010-08-17 | Nokia Corporation | System using a living body as a transmission medium |
US20090160256A1 (en) | 2007-12-21 | 2009-06-25 | Sandisk Corporation, A Delaware Corporation | Multi-regulator power delivery system for ASIC cores |
US7875996B2 (en) | 2007-12-21 | 2011-01-25 | Sandisk Corporation | Multi-regulator power delivery system for ASIC cores |
US7859134B2 (en) | 2007-12-21 | 2010-12-28 | Sandisk Corporation | Self-configurable multi-regulator ASIC core power delivery |
JP4748239B2 (en) | 2009-03-17 | 2011-08-17 | 株式会社デンソー | Communication device |
EP2608158A1 (en) | 2011-12-22 | 2013-06-26 | Gemalto SA | Method to perform a transaction using a biometric reader and associated biometric reader |
DE102012100923A1 (en) | 2012-02-06 | 2013-08-08 | Dorma Gmbh + Co. Kg | Keyless access control system for building, has electronic system designed such that communication between code transmitter and electronic system takes place in partially capacitive manner through skin of user |
JP2016506552A (en) | 2012-11-16 | 2016-03-03 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | Biometric system with body-coupled communication interface |
-
2014
- 2014-09-15 US US14/486,707 patent/US10255422B1/en active Active
-
2019
- 2019-04-08 US US16/378,306 patent/US20190236257A1/en not_active Abandoned
Patent Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040064728A1 (en) * | 2002-09-30 | 2004-04-01 | Scheurich Christoph E. | Personal authentication method and apparatus sensing user vicinity |
US20060136717A1 (en) * | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
US20070255951A1 (en) * | 2005-11-21 | 2007-11-01 | Amiram Grynberg | Token Based Multi-protocol Authentication System and Methods |
US20130203345A1 (en) * | 2005-12-31 | 2013-08-08 | Blaze Mobile | Wireless Bidirectional Communications between a Mobile Device and Associated Secure Element using Inaudible Sound Waves |
US20120016793A1 (en) * | 2006-07-11 | 2012-01-19 | Jo-Ann Peters | Wearable Contactless Payment Devices |
US20110043328A1 (en) * | 2007-01-29 | 2011-02-24 | Fred Bassali | Advanced Vehicular Universal Transmitter Using Time Domain With Vehicle Location Loggin System |
US20100185055A1 (en) * | 2007-02-01 | 2010-07-22 | Timothy Robertson | Ingestible event marker systems |
US20090305742A1 (en) * | 2008-06-05 | 2009-12-10 | Ruben Caballero | Electronic device with proximity-based radio power control |
US20100113950A1 (en) * | 2008-11-05 | 2010-05-06 | Apple Inc. | Seamlessly Embedded Heart Rate Monitor |
US20140009262A1 (en) * | 2008-12-15 | 2014-01-09 | Proteus Digital Health, Inc. | Personal authentication apparatus system and method |
US8843997B1 (en) * | 2009-01-02 | 2014-09-23 | Resilient Network Systems, Inc. | Resilient trust network services |
US20100218249A1 (en) * | 2009-02-25 | 2010-08-26 | Microsoft Corporation | Authentication via a device |
US20110083016A1 (en) * | 2009-10-06 | 2011-04-07 | Validity Sensors, Inc. | Secure User Authentication Using Biometric Information |
US20130238119A1 (en) * | 2010-03-16 | 2013-09-12 | Jireh Health, Llc | Apparatus, system, and method for accurate dispensing of prescription medications |
US20110231012A1 (en) * | 2010-03-16 | 2011-09-22 | Sara Sprague | Apparatus, system and method for accurate dispensing of prescription medications |
US20130097682A1 (en) * | 2011-10-13 | 2013-04-18 | Ilija Zeljkovic | Authentication Techniques Utilizing a Computing Device |
US20130218022A1 (en) * | 2012-02-17 | 2013-08-22 | Honeywell International Inc. | Personal Protective Equipment with Integrated Physiological Monitoring |
US9374655B1 (en) * | 2012-06-18 | 2016-06-21 | Amazon Technologies, Inc. | Managing a transmission power level |
US20140031011A1 (en) * | 2012-07-30 | 2014-01-30 | Ncr Corporation | Location aware authentication techniques |
US20150304292A1 (en) * | 2012-10-24 | 2015-10-22 | Cyber-Ark Software Ltd. | A system and method for secure proxy-based authentication |
US20140149746A1 (en) * | 2012-11-28 | 2014-05-29 | Arnold Yau | Method and system of providing authentication of user access to a computer resource on a mobile device |
US9355231B2 (en) * | 2012-12-05 | 2016-05-31 | Telesign Corporation | Frictionless multi-factor authentication system and method |
US20140282877A1 (en) * | 2013-03-13 | 2014-09-18 | Lookout, Inc. | System and method for changing security behavior of a device based on proximity to another device |
US20140310786A1 (en) * | 2013-04-16 | 2014-10-16 | Imageware Systems, Inc. | Integrated interactive messaging and biometric enrollment, verification, and identification system |
US20140368222A1 (en) * | 2013-06-12 | 2014-12-18 | Microchip Technology Incorporated | Capacitive Proximity Detection Using Delta-Sigma Conversion |
US20150028996A1 (en) * | 2013-07-25 | 2015-01-29 | Bionym Inc. | Preauthorized wearable biometric device, system and method for use thereof |
US20150257004A1 (en) * | 2014-03-07 | 2015-09-10 | Cellco Partnership D/B/A Verizon Wireless | Symbiotic biometric security |
US20150271156A1 (en) * | 2014-03-21 | 2015-09-24 | Venafi, Inc. | Geo-Fencing Cryptographic Key Material |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11588804B2 (en) | 2018-12-28 | 2023-02-21 | Apple Inc. | Providing verified claims of user identity |
Also Published As
Publication number | Publication date |
---|---|
US10255422B1 (en) | 2019-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20190236257A1 (en) | Identity Proxy for Access Control Systems | |
US11934509B2 (en) | Methods for maintaining user access to computing devices based on determining user control | |
US10360364B2 (en) | Method for changing mobile communication device functionality based upon receipt of a second code | |
US20220369086A1 (en) | Selective Pairing of Wireless Devices Using Shared Keys | |
US10943000B2 (en) | System and method for supplying security information | |
US9432361B2 (en) | System and method for changing security behavior of a device based on proximity to another device | |
US20160337863A1 (en) | Method for performing device security corrective actions based on loss of proximity to another device | |
US9208305B2 (en) | Method and apparatus for a token | |
US20160379220A1 (en) | Multi-Instance Shared Authentication (MISA) Method and System Prior to Data Access | |
US20140380445A1 (en) | Universal Authentication and Data Exchange Method, System and Service | |
US20240098491A1 (en) | Cryptographic process for portable devices, and user presence and/or access authorization system and method employing same | |
US20180227754A1 (en) | Wearable data device with deactivation security feature | |
US11868169B2 (en) | Enabling access to data | |
JP6916101B2 (en) | Sharing system | |
KR101592897B1 (en) | Secure Digital system using Near Field Communication, pair system making a pair with the secure digital system, and providing method thereof | |
Duttagupta et al. | HAT: Secure and Practical Key Establishment for Implantable Medical Devices | |
US20210076210A1 (en) | Portable electronic authentication device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: BOARD OF APPEALS DECISION RENDERED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |