WO2016075545A1 - Remote pin entry - Google Patents

Remote pin entry Download PDF

Info

Publication number
WO2016075545A1
WO2016075545A1 PCT/IB2015/002331 IB2015002331W WO2016075545A1 WO 2016075545 A1 WO2016075545 A1 WO 2016075545A1 IB 2015002331 W IB2015002331 W IB 2015002331W WO 2016075545 A1 WO2016075545 A1 WO 2016075545A1
Authority
WO
WIPO (PCT)
Prior art keywords
pin
user
credential
mobile device
enter
Prior art date
Application number
PCT/IB2015/002331
Other languages
French (fr)
Inventor
Sylvain Prevost
Anders WALLBOM
Daniel Berg
Original Assignee
Assa Abloy Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Assa Abloy Ab filed Critical Assa Abloy Ab
Publication of WO2016075545A1 publication Critical patent/WO2016075545A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Definitions

  • This application is related to the field of authentication and access control and more particularly to remote entry of authentication information to provide access control.
  • a user may be provided with a credential for gaining access to a restricted area or device.
  • the credential may be physical, such as a token, smart cards, etc., while in other instances, the credential may be in the form of software and/or digital data, such as a digital certificate.
  • the credential by itself, may be sufficient to allow access.
  • a user could approach a door having a reader and a corresponding keypad. The user would present a credential, such as a smartcard, to the reader and then the user would enter a PIN value on the keypad. The user gains access if the credential is valid and the correct PIN value is entered.
  • a driver entering a garage may present a token to a reader to gain access.
  • the driver may then be required to also enter a PIN at a keypad, which may be inconveniently located and may require the driver to leave the car for access.
  • some readers may not have a corresponding keypad, in which case the added security provided by requiring a PIN may not be employed.
  • managing access to a resource by a user includes validating a credential presented by the user, determining if the user is allowed to remotely enter a PIN, the user entering the PIN remotely in response to the user being allowed to remotely enter the PIN, and granting the user access to the resource in response to the credential being valid and the PIN being valid.
  • Managing access to a resource by a user may also include granting the user access to the resource in response to the credential being valid and a PIN not being required.
  • the credential may be presented to a reader and determination if a PIN is required may be made by the reader or a computer that manages security.
  • the credential may be embedded in a mobile device. The user may remotely enter the PIN using the mobile device.
  • Managing access to a resource by a user may also include determining if the user is associated with a detected mobile device and allowing the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device.
  • a security state of the mobile device Prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device may be examined. The security state of the mobile device may depend upon installation of appropriate code on the mobile device and/or installation of ant- virus software. Additional users may present credentials and each of the users may separately enter a PIN.
  • the PIN may be provided by an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and/or a pressure sensor.
  • the PIN may be provided to the credential prior to validating the credential and the PIN may be provided by the credential.
  • the PIN may be erased from the credential in response to the user being granted access, the passage of time, and/or strength of a signal from the credential.
  • the user may enter the PIN using a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user. The user may choose whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
  • a non-transitory computer-readable medium contains software that manages access to a resource by a user.
  • the software includes executable code that validates a credential presented by the user, executable code that determines if the user is allowed to remotely enter a PIN, executable code that accepts the PIN remotely entered by the user in response to the user being allowed to remotely enter the PIN, and executable code that grants the user access to the resource in response to the credential being valid and the PIN being valid.
  • the software may also include executable code that grants the user access to the resource in response to the credential being valid and a PIN not being required.
  • the credential may be presented to a reader and determination if a PIN is required may be made by the reader or a computer that manages security.
  • the credential may be embedded in a mobile device.
  • the user remotely may enter the PIN using the mobile device.
  • the software may also include executable code that determines if the user is associated with a detected mobile device and executable code that allows the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device.
  • a security state of the mobile device Prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device may be examined. The security state of the mobile device may depend upon installation of appropriate code on the mobile device and/or installation of ant- virus software. Additional users may present credentials and each of the users may separately enter a PIN.
  • the PIN may be provided by an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and/or a pressure sensor.
  • the PIN may be provided to the credential prior to validating the credential and the PIN may be provided by the credential.
  • the PIN may be erased from the credential in response to the user being granted access, the passage of time, and/or strength of a signal from the credential.
  • the user may enter the PIN using a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user. The user may choose whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
  • FIG. 1 is a schematic illustration showing a user, a reader, a credential, and a mobile device according to an embodiment of the system described herein.
  • FIG. 2 is a schematic illustration showing a credential, and a mobile device according to an embodiment of the system described herein.
  • FIG. 3 is a flow diagram illustrating processing for handling PIN entry in connection with using a credential to gain access according to an embodiment of the system described herein.
  • FIG. 4 is a flow diagram illustrating processing performed in connection with remotely entering a PIN according to an embodiment of the system described herein.
  • a diagram 50 shows a user approaching a reader 52 that is used to gain access to an asset (not shown), such as a door.
  • the asset could be any physical or logical resource for which restricted access is desired, such as any physical area (e.g., parking garage), a VPN, a laptop, a Website, etc.
  • the user has a credential 54 that may be presented to the reader 52 to provide the user with access to the asset.
  • the credential 54 could be any appropriate credential that may be used to provide secure access, such as a token, a smartcard, a badge, digital data (e.g., a PKI certificate), software, etc.
  • the user also has a mobile device 56, such as a smartphone, tablet, etc. that provides conventional mobile device functionality in addition to the functionality described herein.
  • the reader 52 and the credential 54 communicate over the air using, for example, the Bluetooth communication protocol. However, any other appropriate protocol may be used and, in some case, physical contact between the reader 52 and the credential 54 may be required.
  • the reader 52 may detect the presence of the mobile device 56 and may prompt the user to enter a PIN value at the mobile device 56. This is described in more detail elsewhere herein.
  • the reader 52 and the mobile device 56 may communicate over the air using, for example, the Bluetooth communication protocol or by using conventional cellular communication protocol(s) (e.g., SMS).
  • the credential 54 being valid and the user entering a correct PIN on the mobile device 56, the user is granted access.
  • the reader 52 may include a conventional keypad 62. In some cases, the user may be given the choice of using the keypad 62, or the device 56 to enter a pin value.
  • a mobile device 56' is shown with an embedded credential 54'.
  • the user does not need a separate device/item for the credential 54' since the credential 54' is embedded in the mobile device 56'.
  • the embedded credential 54' could be a physical item, such as a secure chip, or could be software/data (e.g., a digital certificate) stored on the mobile device 56'.
  • a flow diagram 80 illustrates processing performed for handling PIN entry in connection with using a credential to gain access to a resource. Processing begins at a first step 82 where a user presents a credential. Following the step 82 is a test step 84 where it is determined if a PIN is required. As discussed elsewhere herein, in some instances, a user may gain access to a restricted resource by presenting only the credential and no PIN is
  • the determination at the step 84 may be made by a reader that reads the credential or by another processing device coupled to the reader (e.g., a back office computer that manages security for an organization).
  • the step 82 may be a gating step so that, if the credentials are not valid, processing ends and the user does not enter a PIN. That is, in some embodiments, the user is never prompted to enter a PIN if the user does not possess appropriate credentials.
  • test step 84 If it is determined at the test step 84 that a PIN is not needed, then processing is complete. Otherwise, control transfers from the test step 84 to a test step 86 where it is determined if remote PIN entry is allowed. In some instances, remote PIN entry may be an option (e.g., set by a supervisor/manager) so that some users are allowed remote PIN entry and some are not. If it is determined at the test step 86 that a user is not allowed remote PIN entry, then control transfers from the test step 86 to a step 88 where the user enters a PIN using conventional techniques (e.g., using the keypad 62 at the reader 52 of FIG. 1). Following the step 86, processing is complete.
  • conventional techniques e.g., using the keypad 62 at the reader 52 of FIG.
  • a mobile device of the user i.e., is powered on and in communication with the reader.
  • one or more specific mobile devices may be associated with a particular user to prevent PIN entry/prompting by a random mobile device.
  • the test at the step 92 determines if mobile device A is detected without regard to the presence (or not) of mobile device B.
  • a user may be associated with a particular mobile device using any appropriate technique, such as associating IMEI number(s) and/or MAC addresses of particular mobile device(s) with particular users, installing specific software/data on a mobile device of a user, etc. In instances where multiple users with multiple credentials are present, each user may be prompted separately for a PIN, as appropriate.
  • the test at the step 92 also determines if the mobile device of the user is in an appropriate state (e.g., the operating system and level are
  • the appropriate code is installed and deemed safe and is not "jailbroken” or "rooted”, recognized levels of antivirus software is installed, etc.).
  • step 92 If it is determined at the test step 92 that no mobile device is detected for the user, then control transfers from the step 92 to the step 88, discussed above, where the user uses conventional techniques to enter a PIN. Thus, even if a user is authorized to use remote PIN entry, the user is still required to use convention PIN entry if there is no appropriate mobile device for providing the user with remote PIN entry capability. Following the step 88, processing is complete. If it is determined at the test step 92 that a mobile device is detected for the user, then control transfers from the step 92 to a step 94, where the user provides remote PIN entry. Processing performed at the step 94 is described in more detail elsewhere herein. Following the step 94, processing is complete. Referring to FIG.
  • a flow diagram 110 illustrates processing performed in connection with remote PIN entry using a mobile device.
  • Processing begins at a step 112 where secure communication is established between the mobile device and the reader.
  • the secure communication may be established using, for example, a shared secret or by using any appropriate technique.
  • a step 114 where the user is prompted to enter a PIN.
  • a PIN entry GUI may be provided to the mobile device in connection with prompting the user, in which case the mobile device does not store or maintain the PIN entry GUI.
  • the PIN may be a 4-8 digit number or alphanumeric string.
  • the alphanumeric character set includes the typical set of letters and numbers, along with special characters ($, #, ⁇ , !, @, mathematical symbols, punctuations marks, and may include letters from other languages such asas an e with an acute accent (e), etc).
  • the PIN may be provided by biometric data, a password, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, a pressure sensor or any other input that can identify the user. Note that, as discussed elsewhere herein, in some embodiments the user is never prompted to enter a PIN unless it is first determined that the user possesses appropriate credentials for access. Note also that, in some cases, the PIN may be stored in a Secure Access Module or similar, such as soft encrypted vault.
  • a step 116 the mobile device sends the PIN to the reader 52.
  • the pin may be sent in a single message, or may be sent character by character.
  • the pin may be sent via an encrypted channel, or may be encrypted prior to transfer (using, for example, one time passwords) and transferred using an unencrypted channel.
  • a device other than the reader e.g., central security processing computer
  • the mobile device may send the PIN and the credential together (either as separate data units or as a single data unit).
  • the PIN may be provided to the credential, in which case the credential sends the PIN with credential data to the reader.
  • the PIN and/or the GUI may be erased from the credential. Determining when to erase a PIN from a credential may be based on one or more appropriate factors, such as the passage of time, a GPS location of the user (i.e., has entered restricted area), an indication (signal) from the system that access has been granted, NFC strength of a signal from the mobile device, detected presence of the reader, etc.
  • a test step 122 where it is determined if the PIN is OK (i.e., matched an expected value stored for the user). If not, then control transfers from the test step 122 to a step 124 where either the user is provided with an opportunity to retry entering the PIN or where access is denied (e.g., after N retries). Following the step 124, processing is complete. If it is determined at the step 122 that the PIN is OK, then control transfers from the test step 122 to a step 126 where access to the restricted resource is allowed. Following the step 126, processing is complete.
  • the PIN may be stored on the mobile device to facilitate the test at the step 122. In some instances, a PIN stored on the mobile device is stored in a secure element thereof. Note also that the code/logic to perform the PIN comparison on the mobile device may be provided to the mobile device with the GUI at the step 114.
  • the mobile device may be a cell phone or a tablet, although other devices, such as a laptop or desktop computer, are also possible.
  • the mobile device may include software that is pre-loaded with the device (including software for pin entry), software that is installed from an app store, installed from a desktop (after possibly being pre-loaded thereon), installed from media such as a CD, DVD, etc., and/or downloaded from a Web site.
  • the mobile device may use an operating system selected from the group consisting of: iOS, Android OS, Windows Phone OS, Blackberry OS and mobile versions of Linux OS.
  • Software implementations of the system described herein may include executable code that is stored in a computer readable medium and executed by one or more processors.
  • the computer readable medium may be non-transitory and include a computer hard drive, ROM, RAM, flash memory, portable computer storage media such as a CD-ROM, a DVD-ROM, a flash drive, an SD card and/or other drive with, for example, a universal serial bus (USB) interface, and/or any other appropriate tangible or non-transitory computer readable medium or computer memory on which executable code may be stored and executed by a processor.
  • the system described herein may be used in connection with any appropriate operating system.
  • the items in object collections may be stored using a file system of the OS X operating system or an App Store provided by Apple, Inc., a file system provided by the Windows ® operating system or a file system of the Linux operating system distributions provided by multiple vendors.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Telephone Function (AREA)

Abstract

Managing access to a resource by a user includes validating a credential presented by the user, determining if the user is allowed to remotely enter a PIN, the user entering the PIN remotely in response to the user being allowed to remotely enter the PIN, and granting the user access to the resource in response to the credential being valid and the PIN being valid. Managing access to a resource by a user may also include granting the user access to the resource in response to the credential being valid and a PIN not being required. The credential may be presented to a reader and determination if a PIN is required may be made by the reader or a computer that manages security. The credential may be embedded in a mobile device. The user may remotely enter the PIN using the mobile device.

Description

REMOTE PIN ENTRY
CROSS-REFERENCE TO RELATED APPLICATIONS
This application claims priority to U.S. Prov. App. No. 62/078,643, filed November 12, 2014, and entitled "REMOTE PIN ENTRY", which is incorporated by reference herein.
TECHNICAL FIELD
This application is related to the field of authentication and access control and more particularly to remote entry of authentication information to provide access control.
BACKGROUND
A user may be provided with a credential for gaining access to a restricted area or device. The credential may be physical, such as a token, smart cards, etc., while in other instances, the credential may be in the form of software and/or digital data, such as a digital certificate. In some cases, the credential, by itself, may be sufficient to allow access. However, for added security, it is useful to require that the user also provide additional verification, such as a PIN code, each time the credential is used. Thus, for example, a user could approach a door having a reader and a corresponding keypad. The user would present a credential, such as a smartcard, to the reader and then the user would enter a PIN value on the keypad. The user gains access if the credential is valid and the correct PIN value is entered.
In some instances, it may be inconvenient to enter a PIN. For example, a driver entering a garage may present a token to a reader to gain access. The driver may then be required to also enter a PIN at a keypad, which may be inconveniently located and may require the driver to leave the car for access. In addition, some readers may not have a corresponding keypad, in which case the added security provided by requiring a PIN may not be employed.
Accordingly, it is desirable to provide a system that facilitates convenient entry of PIN values by users in a security system. SUMMARY OF THE INVENTION
According to the system described herein, managing access to a resource by a user includes validating a credential presented by the user, determining if the user is allowed to remotely enter a PIN, the user entering the PIN remotely in response to the user being allowed to remotely enter the PIN, and granting the user access to the resource in response to the credential being valid and the PIN being valid. Managing access to a resource by a user may also include granting the user access to the resource in response to the credential being valid and a PIN not being required. The credential may be presented to a reader and determination if a PIN is required may be made by the reader or a computer that manages security. The credential may be embedded in a mobile device. The user may remotely enter the PIN using the mobile device. Managing access to a resource by a user may also include determining if the user is associated with a detected mobile device and allowing the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device. Prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device may be examined. The security state of the mobile device may depend upon installation of appropriate code on the mobile device and/or installation of ant- virus software. Additional users may present credentials and each of the users may separately enter a PIN. The PIN may be provided by an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and/or a pressure sensor. The PIN may be provided to the credential prior to validating the credential and the PIN may be provided by the credential. The PIN may be erased from the credential in response to the user being granted access, the passage of time, and/or strength of a signal from the credential. The user may enter the PIN using a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user. The user may choose whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
According further to the system described herein, a non-transitory computer-readable medium contains software that manages access to a resource by a user. The software includes executable code that validates a credential presented by the user, executable code that determines if the user is allowed to remotely enter a PIN, executable code that accepts the PIN remotely entered by the user in response to the user being allowed to remotely enter the PIN, and executable code that grants the user access to the resource in response to the credential being valid and the PIN being valid. The software may also include executable code that grants the user access to the resource in response to the credential being valid and a PIN not being required. The credential may be presented to a reader and determination if a PIN is required may be made by the reader or a computer that manages security. The credential may be embedded in a mobile device. The user remotely may enter the PIN using the mobile device. The software may also include executable code that determines if the user is associated with a detected mobile device and executable code that allows the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device. Prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device may be examined. The security state of the mobile device may depend upon installation of appropriate code on the mobile device and/or installation of ant- virus software. Additional users may present credentials and each of the users may separately enter a PIN. The PIN may be provided by an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and/or a pressure sensor. The PIN may be provided to the credential prior to validating the credential and the PIN may be provided by the credential. The PIN may be erased from the credential in response to the user being granted access, the passage of time, and/or strength of a signal from the credential. The user may enter the PIN using a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user. The user may choose whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the system are described with reference to the several figures of the drawings, briefly described as follows. FIG. 1 is a schematic illustration showing a user, a reader, a credential, and a mobile device according to an embodiment of the system described herein.
FIG. 2 is a schematic illustration showing a credential, and a mobile device according to an embodiment of the system described herein.
FIG. 3 is a flow diagram illustrating processing for handling PIN entry in connection with using a credential to gain access according to an embodiment of the system described herein.
FIG. 4 is a flow diagram illustrating processing performed in connection with remotely entering a PIN according to an embodiment of the system described herein.
DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS
Referring to FIG. 1, a diagram 50 shows a user approaching a reader 52 that is used to gain access to an asset (not shown), such as a door. Note that the asset could be any physical or logical resource for which restricted access is desired, such as any physical area (e.g., parking garage), a VPN, a laptop, a Website, etc. The user has a credential 54 that may be presented to the reader 52 to provide the user with access to the asset. The credential 54 could be any appropriate credential that may be used to provide secure access, such as a token, a smartcard, a badge, digital data (e.g., a PKI certificate), software, etc. The user also has a mobile device 56, such as a smartphone, tablet, etc. that provides conventional mobile device functionality in addition to the functionality described herein.
The user approaches the reader 52 and presents the credential 54. In an embodiment herein, the reader 52 and the credential 54 communicate over the air using, for example, the Bluetooth communication protocol. However, any other appropriate protocol may be used and, in some case, physical contact between the reader 52 and the credential 54 may be required. In response to the credential 54, the reader 52 may detect the presence of the mobile device 56 and may prompt the user to enter a PIN value at the mobile device 56. This is described in more detail elsewhere herein. The reader 52 and the mobile device 56 may communicate over the air using, for example, the Bluetooth communication protocol or by using conventional cellular communication protocol(s) (e.g., SMS). In response to the credential 54 being valid and the user entering a correct PIN on the mobile device 56, the user is granted access. In some cases, the reader 52 may include a conventional keypad 62. In some cases, the user may be given the choice of using the keypad 62, or the device 56 to enter a pin value.
Referring to FIG. 2, a mobile device 56' is shown with an embedded credential 54'. In the embodiment of FIG. 2, the user does not need a separate device/item for the credential 54' since the credential 54' is embedded in the mobile device 56'. The embedded credential 54' could be a physical item, such as a secure chip, or could be software/data (e.g., a digital certificate) stored on the mobile device 56'.
Referring to FIG. 3, a flow diagram 80 illustrates processing performed for handling PIN entry in connection with using a credential to gain access to a resource. Processing begins at a first step 82 where a user presents a credential. Following the step 82 is a test step 84 where it is determined if a PIN is required. As discussed elsewhere herein, in some instances, a user may gain access to a restricted resource by presenting only the credential and no PIN is
required/used. The determination at the step 84 may be made by a reader that reads the credential or by another processing device coupled to the reader (e.g., a back office computer that manages security for an organization). Note that the step 82 may be a gating step so that, if the credentials are not valid, processing ends and the user does not enter a PIN. That is, in some embodiments, the user is never prompted to enter a PIN if the user does not possess appropriate credentials.
If it is determined at the test step 84 that a PIN is not needed, then processing is complete. Otherwise, control transfers from the test step 84 to a test step 86 where it is determined if remote PIN entry is allowed. In some instances, remote PIN entry may be an option (e.g., set by a supervisor/manager) so that some users are allowed remote PIN entry and some are not. If it is determined at the test step 86 that a user is not allowed remote PIN entry, then control transfers from the test step 86 to a step 88 where the user enters a PIN using conventional techniques (e.g., using the keypad 62 at the reader 52 of FIG. 1). Following the step 86, processing is complete.
If it is determined at the step 86 that remote PIN entry is allowed for the user, then control transfers from the test step 86 to a test step 92 where it is determined if a mobile device of the user is detected (i.e., is powered on and in communication with the reader). In an embodiment herein, one or more specific mobile devices may be associated with a particular user to prevent PIN entry/prompting by a random mobile device. Thus, for example, if mobile device A is associated with user A' and mobile device B is associated with user B', then when user A presents his credential at the reader, the test at the step 92 determines if mobile device A is detected without regard to the presence (or not) of mobile device B. A user may be associated with a particular mobile device using any appropriate technique, such as associating IMEI number(s) and/or MAC addresses of particular mobile device(s) with particular users, installing specific software/data on a mobile device of a user, etc. In instances where multiple users with multiple credentials are present, each user may be prompted separately for a PIN, as appropriate. In some embodiments, the test at the step 92 also determines if the mobile device of the user is in an appropriate state (e.g., the operating system and level are
appropriate, the appropriate code is installed and deemed safe and is not "jailbroken" or "rooted", recognized levels of antivirus software is installed, etc.).
If it is determined at the test step 92 that no mobile device is detected for the user, then control transfers from the step 92 to the step 88, discussed above, where the user uses conventional techniques to enter a PIN. Thus, even if a user is authorized to use remote PIN entry, the user is still required to use convention PIN entry if there is no appropriate mobile device for providing the user with remote PIN entry capability. Following the step 88, processing is complete. If it is determined at the test step 92 that a mobile device is detected for the user, then control transfers from the step 92 to a step 94, where the user provides remote PIN entry. Processing performed at the step 94 is described in more detail elsewhere herein. Following the step 94, processing is complete. Referring to FIG. 4, a flow diagram 110 illustrates processing performed in connection with remote PIN entry using a mobile device. Processing begins at a step 112 where secure communication is established between the mobile device and the reader. The secure communication may be established using, for example, a shared secret or by using any appropriate technique. Following the step 112 is a step 114 where the user is prompted to enter a PIN. In an embodiment herein, a PIN entry GUI may be provided to the mobile device in connection with prompting the user, in which case the mobile device does not store or maintain the PIN entry GUI. The PIN may be a 4-8 digit number or alphanumeric string. The alphanumeric character set includes the typical set of letters and numbers, along with special characters ($, #, Λ, !, @, mathematical symbols, punctuations marks, and may include letters from other languages such asas an e with an acute accent (e), etc). In some embodiments, the PIN may be provided by biometric data, a password, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, a pressure sensor or any other input that can identify the user. Note that, as discussed elsewhere herein, in some embodiments the user is never prompted to enter a PIN unless it is first determined that the user possesses appropriate credentials for access. Note also that, in some cases, the PIN may be stored in a Secure Access Module or similar, such as soft encrypted vault.
Following the step 114 is a step 116 where the mobile device sends the PIN to the reader 52. The pin may be sent in a single message, or may be sent character by character. The pin may be sent via an encrypted channel, or may be encrypted prior to transfer (using, for example, one time passwords) and transferred using an unencrypted channel. Note that, in other embodiments, it is possible to have a device other than the reader (e.g., central security processing computer) that receives the PIN. Note also that, in instances where the mobile device includes the credential (i.e., embedded in the mobile device), the mobile device may send the PIN and the credential together (either as separate data units or as a single data unit). In some cases where the credential is separate from the mobile device, the PIN may be provided to the credential, in which case the credential sends the PIN with credential data to the reader. Note that, after access is granted, the PIN and/or the GUI may be erased from the credential. Determining when to erase a PIN from a credential may be based on one or more appropriate factors, such as the passage of time, a GPS location of the user (i.e., has entered restricted area), an indication (signal) from the system that access has been granted, NFC strength of a signal from the mobile device, detected presence of the reader, etc.
Following the step 118 is a test step 122 where it is determined if the PIN is OK (i.e., matched an expected value stored for the user). If not, then control transfers from the test step 122 to a step 124 where either the user is provided with an opportunity to retry entering the PIN or where access is denied (e.g., after N retries). Following the step 124, processing is complete. If it is determined at the step 122 that the PIN is OK, then control transfers from the test step 122 to a step 126 where access to the restricted resource is allowed. Following the step 126, processing is complete. Note that the PIN may be stored on the mobile device to facilitate the test at the step 122. In some instances, a PIN stored on the mobile device is stored in a secure element thereof. Note also that the code/logic to perform the PIN comparison on the mobile device may be provided to the mobile device with the GUI at the step 114.
Various embodiments discussed herein may be combined with each other in appropriate combinations in connection with the system described herein. Additionally, in some instances, the order of steps in the flowcharts, flow diagrams and/or described flow processing may be modified, where appropriate. Various aspects of the system described herein may be implemented using software, hardware, a combination of software and hardware and/or other computer-implemented modules or devices having the described features and performing the described functions. The mobile device may be a cell phone or a tablet, although other devices, such as a laptop or desktop computer, are also possible. The mobile device may include software that is pre-loaded with the device (including software for pin entry), software that is installed from an app store, installed from a desktop (after possibly being pre-loaded thereon), installed from media such as a CD, DVD, etc., and/or downloaded from a Web site. The mobile device may use an operating system selected from the group consisting of: iOS, Android OS, Windows Phone OS, Blackberry OS and mobile versions of Linux OS. Software implementations of the system described herein may include executable code that is stored in a computer readable medium and executed by one or more processors. The computer readable medium may be non-transitory and include a computer hard drive, ROM, RAM, flash memory, portable computer storage media such as a CD-ROM, a DVD-ROM, a flash drive, an SD card and/or other drive with, for example, a universal serial bus (USB) interface, and/or any other appropriate tangible or non-transitory computer readable medium or computer memory on which executable code may be stored and executed by a processor. The system described herein may be used in connection with any appropriate operating system. The items in object collections may be stored using a file system of the OS X operating system or an App Store provided by Apple, Inc., a file system provided by the Windows® operating system or a file system of the Linux operating system distributions provided by multiple vendors.
Other embodiments of the invention will be apparent to those skilled in the art from a consideration of the specification or practice of the invention disclosed herein.

Claims

What is claimed is:
1. A method of managing access to a resource by a user, comprising:
validating a credential presented by the user;
determining if the user is allowed to remotely enter a PIN;
the user entering the PIN remotely in response to the user being allowed to remotely enter the PIN; and
granting the user access to the resource in response to the credential being valid and the PIN being valid.
2. A method, according to claim 1, further comprising:
granting the user access to the resource in response to the credential being valid and a PIN not being required.
3. A method, according to claim 2, wherein the credential is presented to a reader and wherein determination if a PIN is required is made by one of: the reader and a computer that manages security.
4. A method, according to claim 1, wherein the credential is embedded in a mobile device.
5. A method, according to claim 4, wherein the user remotely enters the PIN using the mobile device.
6. A method, according to claim 1, further comprising:
determining if the user is associated with a detected mobile device; and
allowing the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device.
7. A method, according to claim 6, wherein, prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device is examined.
8. A method, according to claim 7, wherein the security state of the mobile device depends upon at least one of: installation of appropriate code on the mobile device and installation of ant-virus software.
9. A method, according to claim 1, wherein additional users present credentials and wherein each of the users separately enters a PIN.
10. A method, according to claim 1, wherein the PIN is provided by at least one of: an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and a pressure sensor.
11. A method, according to claim 1, wherein the PIN is provided to the credential prior to validating the credential and wherein the PIN is provided by the credential.
12. A method, according to claim 11, wherein the PIN is erased from the credential in response to at least one of: the user being granted access, the passage of time, and strength of a signal from the credential.
13. A method, according to claim 1, wherein the user enters the PIN using one of: a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user.
14. A method, according to claim 13, wherein the user chooses whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
15. A non-transitory computer-readable medium containing software that manages access to a resource by a user, the software comprising:
executable code that validates a credential presented by the user;
executable code that determines if the user is allowed to remotely enter a PIN;
executable code that accepts the PIN remotely entered by the user in response to the user being allowed to remotely enter the PIN; and
executable code that grants the user access to the resource in response to the credential being valid and the PIN being valid.
16. A non-transitory computer-readable medium, according to claim 15, further comprising: executable code that grants the user access to the resource in response to the credential being valid and a PIN not being required.
17. A non-transitory computer-readable medium, according to claim 16, wherein the credential is presented to a reader and wherein determination if a PIN is required is made by one of: the reader and a computer that manages security.
18. A non-transitory computer-readable medium, according to claim 15, wherein the credential is embedded in a mobile device.
19. A non-transitory computer-readable medium, according to claim 18, wherein the user remotely enters the PIN using the mobile device.
20. A non-transitory computer-readable medium, according to claim 15, further comprising: executable code that determines if the user is associated with a detected mobile device; and
executable code that allows the user to enter the PIN using the detected mobile device in response to the user being associated with the detected mobile device.
21. A non-transitory computer-readable medium, according to claim 20, wherein, prior to allowing the user to enter the PIN with the detected mobile device, a security state of the mobile device is examined.
22. A non-transitory computer-readable medium, according to claim 21, wherein the security state of the mobile device depends upon at least one of: installation of appropriate code on the mobile device and installation of ant-virus software.
23. A non-transitory computer-readable medium, according to claim 15, wherein additional users present credentials and wherein each of the users separately enters a PIN.
24. A non-transitory computer-readable medium, according to claim 15, wherein the PIN is provided by at least one of: an alphanumeric string, biometric data, a screen pattern, motion gestures, face recognition, a fingerprint, a heart monitor, voice acquisition, sound acquisition, and a pressure sensor.
25. A non-transitory computer-readable medium, according to claim 15, wherein the PIN is provided to the credential prior to validating the credential and wherein the PIN is provided by the credential.
26. A non-transitory computer-readable medium, according to claim 25, wherein the PIN is erased from the credential in response to at least one of: the user being granted access, the passage of time, and strength of a signal from the credential.
27. A non-transitory computer-readable medium, according to claim 15, wherein the user enters the PIN using one of: a pinpad corresponding to a reader coupled to the credential or a mobile device associated with the user.
28. A non-transitory computer-readable medium, according to claim 27, wherein the user chooses whether to enter the PIN using the pinpad or enter the PIN using the mobile device.
PCT/IB2015/002331 2014-11-12 2015-11-11 Remote pin entry WO2016075545A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201462078643P 2014-11-12 2014-11-12
US62/078,643 2014-11-12

Publications (1)

Publication Number Publication Date
WO2016075545A1 true WO2016075545A1 (en) 2016-05-19

Family

ID=55262839

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2015/002331 WO2016075545A1 (en) 2014-11-12 2015-11-11 Remote pin entry

Country Status (1)

Country Link
WO (1) WO2016075545A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11339589B2 (en) 2018-04-13 2022-05-24 Dormakaba Usa Inc. Electro-mechanical lock core
US11466473B2 (en) 2018-04-13 2022-10-11 Dormakaba Usa Inc Electro-mechanical lock core
US11913254B2 (en) 2017-09-08 2024-02-27 dormakaba USA, Inc. Electro-mechanical lock core
US11933076B2 (en) 2016-10-19 2024-03-19 Dormakaba Usa Inc. Electro-mechanical lock core
US12031357B2 (en) 2019-10-09 2024-07-09 Dormakaba Usa Inc. Electro-mechanical lock core

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008016580A1 (en) * 2006-08-01 2008-02-07 Sentillion, Inc. Methods and apparatus for managing user access to a computing environment
US20100100939A1 (en) * 2008-10-21 2010-04-22 Flexilis, Inc. Secure mobile platform system
EP2228746A1 (en) * 2009-03-13 2010-09-15 Assa Abloy Ab Realization of access control conditions as boolean expressions in credential authentications
US20140068717A1 (en) * 2011-04-18 2014-03-06 Nearfield Communications Limited Method and system for controlling access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008016580A1 (en) * 2006-08-01 2008-02-07 Sentillion, Inc. Methods and apparatus for managing user access to a computing environment
US20100100939A1 (en) * 2008-10-21 2010-04-22 Flexilis, Inc. Secure mobile platform system
EP2228746A1 (en) * 2009-03-13 2010-09-15 Assa Abloy Ab Realization of access control conditions as boolean expressions in credential authentications
US20140068717A1 (en) * 2011-04-18 2014-03-06 Nearfield Communications Limited Method and system for controlling access

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11933076B2 (en) 2016-10-19 2024-03-19 Dormakaba Usa Inc. Electro-mechanical lock core
US11913254B2 (en) 2017-09-08 2024-02-27 dormakaba USA, Inc. Electro-mechanical lock core
US11339589B2 (en) 2018-04-13 2022-05-24 Dormakaba Usa Inc. Electro-mechanical lock core
US11447980B2 (en) 2018-04-13 2022-09-20 Dormakaba Usa Inc. Puller tool
US11466473B2 (en) 2018-04-13 2022-10-11 Dormakaba Usa Inc Electro-mechanical lock core
US12031357B2 (en) 2019-10-09 2024-07-09 Dormakaba Usa Inc. Electro-mechanical lock core

Similar Documents

Publication Publication Date Title
AU2013205396B2 (en) Methods and Systems for Conducting Smart Card Transactions
US20140282992A1 (en) Systems and methods for securing the boot process of a device using credentials stored on an authentication token
US9716699B2 (en) Password management system
US9552472B2 (en) Associating distinct security modes with distinct wireless authenticators
WO2016015448A1 (en) Multi-system entering method, apparatus and terminal
US20150244718A1 (en) Biometric authentication
US9716593B2 (en) Leveraging multiple biometrics for enabling user access to security metadata
WO2016080995A1 (en) Methods and systems for accessing a secure system
US20160285911A1 (en) Context sensitive multi-mode authentication
US10444792B2 (en) Unlocking control system, method and wearable device using the same
WO2016075545A1 (en) Remote pin entry
TWI739778B (en) The login mechanism of the operating system
US11354394B2 (en) Identity verification using autonomous vehicles
US20220052997A1 (en) Authentication information processing method and apparatus and user terminal including authentication information processing method and apparatus
US10009341B1 (en) External keyboard with OTP capability
KR20190128868A (en) Authentication system and method of blochchain distributed ledger and cryptocurrency offline storage
US20130198836A1 (en) Facial Recognition Streamlined Login
US20130340073A1 (en) Identification to Access Portable Computing Device
US9858409B2 (en) Enhancing security of a mobile device using pre-authentication sequences
KR20200006991A (en) Method, system and medium for authenticating a user using biometric signatures
WO2016165537A1 (en) Method for controlling intelligent terminal and apparatus for controlling intelligent terminal
KR102010764B1 (en) Computer security system and method using authentication function in smart phone
KR102269085B1 (en) Operating method of electronic device for performing login to a plurality of programs using integrated identification information
KR102633314B1 (en) method and apparatus for processing authentication information and user terminal including the same
EP3791300A1 (en) Firmware access based on temporary passwords

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15828843

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15828843

Country of ref document: EP

Kind code of ref document: A1