WO2017158376A1 - Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control - Google Patents

Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control Download PDF

Info

Publication number
WO2017158376A1
WO2017158376A1 PCT/GB2017/050748 GB2017050748W WO2017158376A1 WO 2017158376 A1 WO2017158376 A1 WO 2017158376A1 GB 2017050748 W GB2017050748 W GB 2017050748W WO 2017158376 A1 WO2017158376 A1 WO 2017158376A1
Authority
WO
WIPO (PCT)
Prior art keywords
user device
data
user
authentication
data processing
Prior art date
Application number
PCT/GB2017/050748
Other languages
French (fr)
Inventor
Satnam Singh BIRDI
Original Assignee
Vzinternet Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vzinternet Ltd filed Critical Vzinternet Ltd
Publication of WO2017158376A1 publication Critical patent/WO2017158376A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/40User authentication by quorum, i.e. whereby two or more security principals are required
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control. Background
  • Some known user authentication systems rely on the provision of credentials (for example a username and password) which are compared to stored credentials. An authentication decision is made based on such a comparison. Such authentication systems are susceptible to interception and exploitation, for example by man-in-the- middle attacks.
  • biometric information for example fingerprint data, retina scans, and/or facial or voice characteristics to perform authentication.
  • biometric information is inherently public, can still be stolen or replicated and cannot readily be changed or reset.
  • biometric systems only at best prove identity not intent.
  • human authentication agents may be used to assist in the authentication of a user.
  • An authentication agent may be, for example, a person in the user's social circle, or may be a representative of a controlling authority associated with a resource to which the user is requesting access.
  • a communication session may be set up between the user and the authentication agent to allow the authentication agent to view or hear the user, and to confirm or deny the identity of the user accordingly.
  • the controlling authority takes the authentication agent's feedback into account when determining whether to grant access to the user.
  • such an authentication process may still be at risk from interception or hijacking.
  • a perpetrator, knowing the identity of a recognised authentication agent could hijack an authentication process and authenticate a user when in fact the user is not present, for example.
  • the controlling authority unaware of any such interception, is therefore inherently at risk of mistakenly granting access based on unreliable or false authentication.
  • a user device of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the method comprising, at the user device:
  • the authentication response operation having as inputs:
  • a user device for facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the user device being configured to:
  • a third aspect of the present invention there is provided computer software adapted to perform a method, at a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the method comprising, at the user device:
  • the authentication response operation having as inputs:
  • a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the method comprising, at the user device:
  • the authentication response operation having as inputs:
  • a method, performed by access control equipment, of facilitating access control relating to at least one resource in a data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
  • the method comprising, at the access control equipment:
  • first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
  • access control equipment for facilitating access control relating to at least one resource in a data communication system, the data communication system comprising:
  • a group of data processing entities comprising: a first user device;
  • the access control equipment being configured to:
  • first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
  • a seventh aspect of the invention there is provided computer software adapted to perform a method, at access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the method comprising, at the access control equipment:
  • first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
  • a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
  • the method comprising, at the access control equipment:
  • first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
  • a user device of facilitating access to at least one resource in a data communication system, the data communication system comprising:
  • group of data processing entities comprising: at least one further user device;
  • the method comprising, at the user device:
  • the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
  • a user device for facilitating access to at least one resource in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the user device being configured to:
  • the process processes the received first data using a first data processing element located at the user device to obtain first input data; and output the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
  • computer software adapted to perform a method, at a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising:
  • group of data processing entities comprising:
  • the method comprising, at the user device:
  • the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
  • a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
  • the method comprising, at the user device:
  • the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
  • a system comprising the user device for facilitating authentication and the user device for facilitating access.
  • a fourteenth aspect of the present invention there is provided a system comprising the user device for facilitating authentication and the access control equipment for facilitating access control.
  • a system comprising the user device for facilitating access and the access control equipment for facilitating access control.
  • a system comprising the user device for facilitating authentication, the user device for facilitating access and the access control equipment for facilitating access control.
  • Figure 1 shows a schematic representation of an example of a data communication system in accordance with an embodiment of the present invention
  • Figure 2 shows a schematic representation of another example of a data communication system in accordance with an embodiment of the present invention
  • Figure 3 shows a signalling diagram of an example of a method of facilitating authentication in accordance with an embodiment of the present invention
  • Figure 4 shows a schematic representation of the example of the data communication system shown in Figure 2 in accordance with an embodiment of the present invention
  • Figure 5 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention
  • Figure 6 shows a schematic representation of the example of the data communication system shown in Figures 2 and 4 in accordance with an embodiment of the present invention
  • Figure 7 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention
  • Figure 8 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention
  • Figure 9 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention.
  • Figure 10 shows a schematic representation of an example of a data processing framework in accordance with an embodiment of the present invention.
  • Figure 11 shows a schematic representation of another example of a data communication system in accordance with an embodiment of the present invention.
  • Figure 12 shows a schematic representation of an example of a graphical user interface in accordance with an embodiment of the present invention.
  • Figure 13 shows a schematic representation of an example of an apparatus in accordance with an embodiment of the present invention.
  • User-to-user interactions may provide a reliable way of performing authentication of a user. If a first user recognises or does not recognise a second user, the first user can quickly and reliably make an authentication decision relating to the second user. However, user-to- user interactions may still be open to attack. Therefore, a secure framework for user- mediated authentication is provided.
  • the data communication system 100 includes three apparatuses 110, 120, 130.
  • the data communication system 100 could include different numbers of apparatuses.
  • the apparatuses 110, 120, 130 are data processing entities. In other words, apparatuses 110, 120, 130 are configured to process data.
  • the first data processing entity 110 is a first user device 110.
  • the first user device 110 is used by an authenticating user, in other words a user that performs authentication in relation to at least one user, which may be the same as the authenticating user or a different user.
  • the second data processing entity 120 is a second user device 120.
  • the second user device 120 is used by a user in relation to which authentication is to be performed, which may be the same as the authenticating user or a different user.
  • the third data processing entity 130 is access control equipment 130.
  • the access control equipment 130 is configured to control access to one or more resources.
  • references to a "first" user device and a "second” user device are made for ease of explanation only, and are not intended to imply a temporal or chronological sequence.
  • an authentication procedure may be initiated by the first user device 110, the second user device 120 or the access control equipment 130.
  • the first user device 110 and/or the second user device 120 could belong to an authenticating user, a user in relation to which authentication is to be performed, or neither, according to certain examples.
  • the first user device 110, the second user device 120 and the access control equipment 130 include one or more computing devices.
  • Examples of computing devices include, but are not limited to, a personal computer (PC), a smartphone, a tablet computing device, a laptop computing device, a smart television, a smart watch, a server etc.
  • the first user device 110 is connectable to one or more data communication networks 140 via one or more communication channels 150.
  • the second user device 120 is connectable to the one or more data communication networks 140 via one or more communication channels 160.
  • the access control equipment 130 is connectable to the one or more data communication networks 140 via one or more communication channels 170.
  • Examples of the data communication network 140 include, but are not limited to, the Internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN) etc.
  • the data communication network 140 may include one or more network nodes. Examples of such network nodes include, but are not limited to, routers, switches, servers, etc.
  • the data communication network 140 may also include a plurality of interconnected networks.
  • the one or more data communication networks 140 may be arranged to allow data be communicated in a secure manner, for example by encrypting data transmitted through the one or more data communication networks 140.
  • the one or more data communication channels 150, 160, 170 may be wireless communication channels.
  • the wireless communication channels may be provided by one or more cellular networks.
  • the one or more data communication channels 150, 160, 170 are wired channels.
  • the one or more communication channels 150, 160, 170 may be established and/or maintained using one or more data communication protocols. Examples of such data communication protocols include, but are not limited to, Real-Time Communication (RTC), Web Real-Time Communication (WebRTC), Interactive Connectivity Establishment (ICE), Internet Protocol Suite, etc.
  • Application layer protocols such as Hypertext Transfer Protocol 1 (HTTP/1), Hypertext Transfer Protocol 2 (HTTP/2), Extensible Messaging and Presence Protocol (XMPP) or Web Socket may additionally or alternatively be used in some embodiments.
  • the one or more communication channels 150, 160, 170 are encrypted to provide secured communications.
  • the one or more communication channels 150, 160, 170 are peer-to-peer (P2P) communication channels, in other words providing a direct connection between multiple endpoints.
  • P2P peer-to-peer
  • the establishment of the one or more communication channels 150, 160, 170 is mediated by one or more devices or proxy devices.
  • the one or more communication channels 150, 160, 170 are used as a framework to establish one or more communication sessions.
  • the one or more communication channels 150, 160, 170 enable data to be communicated between at least some of the data processing entities 110, 120, 130.
  • the one or more communication sessions may be established through the use of one or more communication identifiers.
  • a communication identifier may be associated with a given data processing entity and may be used to establish a communication session with the given data processing entity.
  • Examples of data communication identifiers include, but are not limited to, Internet Protocol (IP) addresses, port identifiers, telephone numbers, available and/or preferred communication platforms, telephone numbers, Uniform Resource Locators (URLs), cryptographic nonces or any other information usable in the establishment of the one or more communication sessions via the one or more communication channels 150, 160, 170.
  • IP Internet Protocol
  • port identifiers telephone numbers
  • telephone numbers available and/or preferred communication platforms
  • telephone numbers telephone numbers
  • URLs Uniform Resource Locators
  • cryptographic nonces any other information usable in the establishment of the one or more communication sessions via the one or more communication channels 150, 160, 170.
  • the data communication system 100 can be used to perform user-mediated authentication in which a user of the first user device 110 cooperates with a user of the second user device 120 to perform authentication relating to the user of the second user device 120.
  • Data relating to the authentication decision made by the user of the first user device 1 10 is communicated to the access control equipment 130.
  • the access control equipment 130 compares the data relating to the authentication decision to expected data (for example corresponding to a positive or negative authentication decision) and makes an access control decision based on such a comparison. Since the authentication is performed within a secure framework by the users, the access control equipment 130 can be confident that the authentication has been performed securely, even though the access control equipment 130 does not make the authentication decision itself.
  • Measures are put in place to provide an assurance that both user devices 110, 120 have been involved in the data flow leading to the authentication decision, thereby mitigating against man-in-the- middle and other types of attack. Since the secure framework involves data processing at each of the first user device 110, the second user device 120 and the access control equipment 130, such processing will now be described from the perspective of each of these data processing entities in turn.
  • FIG 2 there is shown schematically an example of a data communication system 200.
  • the data communication system 200 corresponds closely to the data communication system 100 shown in Figure 1, with like items shown using like reference signs.
  • the second user device 120 and the access control equipment 130 are considered to form part of a group 210 of data processing entities, from the perspective of the first user device 110.
  • first user device 110 and the second user device 120 each include one or more respective data processing elements 220, 230.
  • the data processing elements 220, 230 may be stored in the memory of user devices 110, 120, respectively.
  • the data processing elements 220, 230 may be stored temporarily or permanently in the memory of user devices 110, 120, respectively.
  • the data processing element 220 located at the first user device 110 may be the same as or different from the data processing element 230 located at the second user device 120.
  • the data processing elements 220, 230 are received from a remote source.
  • the data processing elements 220, 230 may be received via the one or more data communication networks 140 or in another manner, for example on a Compact Disc Read-Only Memory (CD-ROM), Universal Serial Bus (USB) flash drive etc.
  • CD-ROM Compact Disc Read-Only Memory
  • USB Universal Serial Bus
  • the data processing elements 220, 230 may comprise, for example, decryption keys, lookup tables, cryptographic algorithms, mathematical or transformational functions, or any other parameters, functions, operations, values, tables or factors that can be used to process data.
  • the data processing elements 220, 230 are derived by user devices 110, 120, respectively.
  • One or both of the data processing elements 220, 230 may be derived based on an interrogation of one or more device-specific characteristics. Examples of device-specific characteristics include, but are not limited to, a screen resolution of a device, a device identifier, etc.
  • the device-specific characteristics used to derive one or both of the data processing elements 220, 230 may be selected by the access control equipment 130.
  • the data processing elements 220, 230 may be associated with a given authentication request. One or both of the data processing elements 220, 230 may be configured to vary between some or all different authentication requests. In some examples, one or more device-specific characteristics that are selected to be used to derive one or both of the data processing elements 220, 230 vary between some or all different authentication requests. Varying the data processing elements 220, 230, or other data used in the authentication process, between different authentication requests can help to reduce predictability, which could otherwise be exploited by malware or other forms of attack. In some examples, such variation of the data processing elements 220, 230 is non-deterministic. The data processing elements 220, 230 are used to enable the access control equipment 130 to be confident that the correct data processing and data flow is used by the first user device 110 and the second user device 120 in performing authentication, as will be described in more detail below.
  • FIG. 3 there is shown a signalling diagram depicting an example of a method 300 of performing authentication.
  • the method may be employed in a data communication system 200 such as that depicted in Figure 2 and described above, which includes a first user device 110 and a group of data processing entities 210, the group of data processing entities 210 including the second user device 120 and the access control equipment 130.
  • the first user device 110 receives first and second input data from at least one data processing entity in the group of data processing entities 210.
  • the first and the second input data may be received via the one or more communication channels 150.
  • the first and the second input data may be received by the first user device 110 in separate data payloads or as separable parts of a single data payload.
  • the first input data Prior to the first user device 110 receiving the first input data, the first input data is obtained by the second user device 120 using a data processing element 230 located at the second user device 120.
  • the data processing element 230 located at the second user device 120 is used to process first input data to obtain the processed first input data.
  • the first user device 110 processes the received second input data using a data processing element 220 located at the first user device 110 to obtain processed second input data.
  • the data processing element 220 includes a transformation function.
  • the first user device 110 may process at least a portion of the received second input data by performing a transformation operation on the at least a portion of the received second input data using the transformation function.
  • the transformation operation may, for example, be an arithmetic operation and/or may involve mapping one set of values to another set of values according to one or more mapping rules associated with the transformation function.
  • the data processing element 220 includes one or more decryption keys.
  • at least part of the second input data received by the first user device 110 is received in an encrypted form.
  • the first user device 110 processes at least a portion of the encrypted, second input data by performing a decryption operation using the decryption key. After such a decryption operation has been performed, the second input data, or portion thereof, which was received in an encrypted form, is decrypted. In some examples, the first user device 110 decrypts only part of the second input data, with some of the second input data remaining in an encrypted form.
  • the data processing element 220 located at the first user device 110 may be associated with a given authentication request from the group of data processing entities 210.
  • the data processing element 220 may be configured to vary between different authentication requests. In some examples, such variation of the data processing element 220 between different authentication requests is non-deterministic.
  • the data processing element 220 to be used for a given authentication request may be determined cooperatively with the access control equipment 130. In some examples, the data processing element 220 to be used for a given authentication request is set by the access control equipment 130. The access control equipment 130 may then transmit an indication of the data processing element 220 to be used for the given authentication request to the first user device 110. In another example, the data processing element 220 to be used for a given authentication request is set by the first user device 110.
  • the first user device 110 may then transmit an indication of the data processing element 220 to be used for the given authentication request to the access control equipment 130.
  • the cooperative agreement between the first user device 110 and the access control equipment 130 of the data processing element 220 to be used may be performed between the first user device 110 and the access control equipment 130 prior to the first user device 110 receiving the first and second input data. This cooperative determination enables the access control equipment 130 to be aware of the data processing element 220 to be used by the first user device 110 for the processing of the second input data for a given authentication request.
  • the first user device 110 performs an authentication response operation to derive authentication response data.
  • the authentication response operation has several inputs.
  • a first input of the authentication response operation is the received first input data, i.e. the data having been obtained by the second user device 120 using the data processing element 230 located at the second user device 120.
  • a second input of the authentication response operation is the processed second input data, i.e. the data having been obtained by the first user device 110 using the data processing element 220 located at the first user device 110. Consequently, the derived authentication response data is dependent on both the data processing element 220 located at the first user device 110 and the data processing element 230 located at the second user device 120. Both data processing elements 220, 230 are known by the access control equipment 130.
  • a third input of the authentication response operation is data indicative of a result of an authentication decision made by a user of the first user device 110.
  • the authentication decision relates to a user of the second user device 120.
  • At least one of these inputs to the authentication response operation may vary between at least some different authentication requests. In some examples, at least one of these inputs to the authentication response operation varies non-deterministically between at least some different authentication requests.
  • the access control equipment 130 is aware of the various parameters that are to be used by the first user device 110 and the second user device 120 during the authentication procedure for a given authentication request to derive authentication response data corresponding to a particular authentication response (for example, positive or negative). For example, the access control equipment 130 is aware of the data processing elements 220, 230, the first and second input data, and the data indicative of the result of the authentication decision made by the user of the first user device 110 and uses such awareness to compare received authentication response data to expected authentication response data. In some examples, the access control equipment 130 calculates expected authentication response data using known values and compares the calculated expected authentication response data with received authentication response data. The access control equipment 130 is therefore able to determine what authentication response data should result if the authentication procedure has been performed using the secure framework.
  • the received first input data and the processed second input data are used to obtain a first authentication data element.
  • the first authentication data element may be used to derive the authentication response data.
  • the first authentication data element may, for example, be a numerical value, a character, a string, a function or any other form of data.
  • the first authentication data element may be used with further input data received from at least one of the data processing entities in the group of data processing entities 210 to obtain a second authentication data element.
  • the further input data may comprise third input data.
  • the third input may be received from the second user device 120.
  • the further input data may comprise fourth input data.
  • the fourth input data may be received from the access control equipment 130.
  • the third input data and/or the fourth input data may be received in an encrypted form.
  • the second authentication data element may for example be a numerical value, a character, a string, a function or any other form of data.
  • the first authentication data element may be used to derive the second authentication data element. Consequently, the second authentication data element is dependent on the data processing element 220 located at the first user device 110, the data processing element 230 located at the second user device 120, the first input data, the second input data, and the further input data.
  • the second authentication data element may be used with at least one further data item to derive the authentication response data.
  • the at least one further data item may comprise the information indicative of the result of the authentication decision by the user of the first user device 110.
  • the at least one further data item may comprise a message authentication code (MAC).
  • the MAC may be derived using a cryptographic key in conjunction with a hash function. In other words, the MAC may be a keyed-hash message authentication code (HMAC).
  • the authentication decision made by the user of the first user device 110 is based on an interaction between the user of the first user device 110 and the user of the second user device 120. At least one communication session may be established between the first user device 110 and the second user device 120 to facilitate the authentication of the user of the second user device 120 by the user of the first user device 110.
  • the first user device 110 establishes the at least one communication session with the second user device 120.
  • the second user device 120 establishes the at least one communication session with the first user device 110.
  • the access control equipment 130 establishes the at least one communication session between the first user device 110 and the second user device 120.
  • Establishing the at least one communication session may involve initiating the at least one communication session, accepting a request to join the at least one communication session, participating in the at least one communication session, etc.
  • the at least one communication session may comprise a real-time communication session.
  • the at least one communication session may comprise a video call, a voice call and/or an instant messaging session.
  • the real-time communication session may be established via the one or more communication channels 150.
  • the real-time communication session is established on a separate communication channel from the one or more communication channels 150 used for the receiving of the first and the second input data.
  • the real-time communication session may be time-limited, for example it may be terminated after a predetermined amount of time has passed after establishment.
  • the at least one communication session may comprise a P2P communication session.
  • establishment of the at least one communication session is mediated by one or more proxy devices.
  • the one or more proxy devices may translate data sent in a first form from a first user device.
  • the data may be translated into a second form to be received by a second user device.
  • the one or more proxy devices does not store the data being translated.
  • establishment of at least one communication session between the first user device 110 and the second user device 120 is facilitated by a communication identifier associated with the first user device 110.
  • the communication identifier may be outputted for transmission by the first device 110.
  • the communication identifier is outputted for transmission to the access control equipment 130.
  • an interaction between the user of the first user device 110 and the user of the second user device 120 comprises an immediate or "real-world” interaction.
  • the user of the first user device 110 and the user of the second user device 120 are situated in the same physical space, they could speak to each other in person to perform authentication rather than having a real-time data communication session established between the first user device 110 and the second user device 120.
  • the interaction enables the user of the first user device 110 to provide an authentication decision relating to the user of the second user device 120.
  • the user of the first user device 110 can confirm or deny the identity of the user of the second user device 120 based on the interaction between the users.
  • the user of the first user device 110 can approve or reject a request (for example to access a resource) attempted by the user of the second user device 120 based on such an authentication decision.
  • the authentication decision may be based on a visual recognition of the face of the user of the second user device 120.
  • the authentication decision may be based on an aural recognition of the voice of the user of the second user device 120.
  • the authentication decision may be based on the sending by the user of the second user device 120 of a code-word or phrase known or expected by the user of the first user device 110.
  • the first user device 110 receives data comprising a one-time passcode from at least one data processing entity in the group of data processing entities 210.
  • the data comprising the one-time passcode may be received from the access control equipment 130.
  • the user of the first user device 110 may relay the one-time passcode to the user of the second user device 120.
  • data comprising the one-time passcode is outputted for transmission to the second user device 120.
  • the data comprising the one-time passcode may be transmitted via one or more Short Messaging Service (SMS) messages, e-mail, etc.
  • SMS Short Messaging Service
  • the user of the first user device 110 relays the one-time passcode to the user of the second user device 120 via a real-time communication session, e.g. a video call and/or a voice call.
  • the one-time passcode received by the user of the second user device 120 may be inputted to the second user device 120 and transmitted to the access control equipment 130 to facilitate access control relating to the at least one resource.
  • the first user device 110 receives data for display to the user of the first user device 110.
  • the data may represent an image relating to the authentication request.
  • the data representing the image may be received from the access control equipment 130.
  • the image relating to the authentication request may indicate the at least one resource to which access is requested.
  • the user of the first user device 110 may therefore perform an authentication decision relating to the user of the second user device 120 in view of a specific authentication request and/or transaction.
  • the image relating to the authentication request is associated with a one-time passcode.
  • the first user device 110 and the second user device 120 both receive data comprising a message for display to the user of the first user device 110 and to the user of the second user device 120, respectively.
  • the user of the second user device 120 may be required to vocalise the content of the message during a real-time voice call, in other words to say the message out loud.
  • Voice-to-text translation may be used to determine whether the user of the second user device 120 speaks the correct message.
  • the authentication decision made by the user of the first user device 110 may be received at the first user device 110 based on user input via a user interface associated with the first user device 110.
  • user input comprises user actuation at a graphical control element associated with the first user device 110. Examples of graphical control elements include, but are not limited to, an on-screen button or icon.
  • user input comprises user actuation at a keyboard associated with the first user device 110.
  • user input comprises automatic voice recognition.
  • the authentication decision may be determined at the first user device 110 based on a lack of user input. The absence of user input may be determined by the first user device 110 if no user input is received during a given time period.
  • the given time period may be the allowed time period for a time-limited, real-time communication session.
  • the absence of user input at the first user device 110 may be configured to indicate a positive authentication decision (e.g. a confirmation of the identity of the user of the second user device 120) or a negative authentication decision (e.g. a denial of the identity of the user of the second user device 120).
  • the first user device 110 is configured to use a response translation element to translate the result of the authentication decision into data indicative of the result of the authentication decision.
  • the result of the authentication decision may be a numerical value (e.g. "1" or “0"), a character (e.g. "Y” or “N”), a string (e.g. "YES” or “NO”), or any other form of information that represents the outcome of the authentication decision made by the user of the first user device 110.
  • the response translation element may include, for example, a numerical value, lookup table, cryptographic algorithm, mathematical or transformational function, passing operator, or any other parameter, function or operator suitable for translating data.
  • the response translation element may be associated with a given authentication request and may vary between different authentication requests.
  • the response translation element may be cooperatively agreed between the first user device 110 and the access control equipment 130, such that the access control equipment 130 knows the response translation element that should be used to translate the result of the authentication decision into data indicative of the result of the authentication decision.
  • the first user device 110 outputs the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities 210.
  • the derived authentication response data enables the access control equipment 130 to perform an access control operation relating to at least one resource.
  • the access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
  • FIG 4 there is shown schematically an example of a data communication system 200 which corresponds to the data communication system 200 shown in Figure 2, with like items shown using like reference signs.
  • the first user device 110 and the access control equipment 130 are considered to form part of a group 400 of data processing entities, from the perspective of the second user device 120.
  • FIG. 5 there is shown a signalling diagram depicting an example of a method 500 of facilitating access to at least one resource.
  • the method 500 may be employed in a data communication system 200 such as that depicted in Figure 4 and described above, which includes a second user device 120 and a group of data processing entities 400, the group of data processing entities 400 comprising a first user device 110 and an access control equipment 130.
  • the second user device 120 receives first input data from at least one data processing entity in the group of data processing entities 400.
  • the first input data may be received via the one or more communication channels 160 connecting the second user device 120 to the one or more data communication networks 140.
  • the second user device 120 also receives second input data from at least one data processing entity in the group of data processing entities 400.
  • the first and the second input data may be received in separate data payloads.
  • the first and the second input data are received as separable parts of a single data payload.
  • the second user device 120 may obtain, for display to the user of the second user device 120, data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the second user device 120.
  • the data indicating at least one authorised user may include a nominee list.
  • the data indicating the at least one authorised user may be received from the access control equipment 130.
  • data indicating only those authorised user devices that are determined to be available for communication are obtained for display to the user of the second user device 120.
  • the user of the second user device 120 may make a selection of a preferred nominee from the nominee list. The preferred nominee is involved in performing authentication relating to the user of the second user device 120.
  • the preferred nominee may be a preferred authorised user device, a preferred user of an authorised user device, and/or a user of a preferred authorised user device.
  • the preferred nominee is the first user device 110 and/or the user of the first user device 110.
  • the selection of a preferred authorised user device may be performed via user input at the second user device 120.
  • the user input may include touching a graphical control element on a touchscreen corresponding to the preferred nominee.
  • the user input may include pressing a button on a mouse and/or on a keyboard associated with the second user device 120.
  • the user input may include a verbal indication of the preferred nominee.
  • the user of the second user device 120 does not select a preferred authorised user device for authentication. In such examples, a preferred authorised user device may be selected by the access control equipment 130.
  • the second user device 120 receives at least one communication identifier from at least one data processing entity in the group of data processing entities 400.
  • the at least one communication identifier is associated with the first user device 110.
  • the at least one communication identifier may be usable in the establishment of one or more communication sessions between the second user device 120 and the first user device 110.
  • the at least one communication identifier is received from the access control equipment 130.
  • the at least one communication identifier is received from the first user device 110.
  • the second user device 120 processes the received (pre-processed) first input data using a data processing element 230 located at the second user device 120 to obtain processed first input data.
  • the data processing element 230 may be a software element stored in the memory of the second user device 120. In some examples, the data processing element 230 is stored temporarily or permanently at the second user device 120. The data processing element 230 may be derived on demand by the second user device 120. The data processing element 230 may be derived based on an interrogation of one or device-specific characteristics associated with the second user device 120. The one or more device-specific characteristics may include, for example, a screen resolution of the second user device 230, a device identifier, etc. In some examples, the data processing element 230 includes the one or more device-specific characteristics. In some examples, the data processing element 230 is a transformation function.
  • the second user device 120 may process at least a portion of the received first input data by performing a transformation operation on the portion of the received first input data based on the transformation function.
  • the transformation operation may for example be an arithmetic operation and/or may involve exchanging of one set of values for another set of values according to one or more rules associated with the transformation function.
  • the data processing element 230 includes a decryption key.
  • the first input data received by the second user device 120 is received in an encrypted form.
  • the second user device 120 processes the received first input data by decrypting the first input data using the decryption key.
  • the data processing element 230 located at the second user device 120 and used in the processing of the first input data may be associated with a given authentication request.
  • the data processing element 230 may be configured to vary between at least some different authentication requests. In some examples, such variation between at least some different authentication requests may be non-deterministic.
  • the second user device 120 may cooperate with the access control equipment 130 to determine the data processing element 230 to be used. In some examples, the data processing element 230 to be used is set by the access control equipment 130. The access control equipment 130 may then transmit an indication of the data processing element 230 to be used to the second user device 120. In some examples, the data processing element 230 to be used is set by the second user device 120.
  • the second user device 120 may then transmit an indication of the data processing element 230 to be used to the access control equipment 130.
  • the cooperative determination enables the access control equipment 130 to be aware of the data processing element 230 to be used by the second user device 120 for the processing of the first input data for a given authentication request.
  • the second user device 120 outputs the processed first input data for transmission to at least one data processing entity in the group of data processing entities 400.
  • the processed first input data may be transmitted via the one or more communication channels 160.
  • the processed first input data is transmitted via a communication channel separate from the one or more communication channels 160 connecting the second user device 120 to the one or more data communication networks 140.
  • the second user device 120 also transmits further data to at least one entity of the group of data processing entities 400.
  • the processed first input data is usable as an input to an authentication response operation performed at the first user device 110.
  • the authentication response operation also has as inputs second input data obtained by the first user device 110 using a data processing element 220 located at the first user device 110, and data indicative of a result of an authentication decision made by a user of the first user device 110. At least one of the inputs to the authentication response operation may be associated with a given authentication request and may vary between different authentication requests.
  • the access control equipment 130 is able to perform an access control operation relating to the at least one resource based on a comparison of the authentication response data with expected authentication response data.
  • the second user device 120 establishes at least one communication session with the first user device 1 10 to facilitate the authentication of the user of the second user device 120 by the user of the first user device 110.
  • the at least one communication session may be a real-time communication session.
  • the real-time communication session is in accordance with Real-time Communication (RTC).
  • RTC Real-time Communication
  • the real-time communication session is a WebRTC communication session.
  • the at least one communication session may comprise a video call and/or a voice call.
  • the at least one communication session may be a P2P communication session.
  • the at least one communication session is mediated via one or more proxy devices. Examples of such proxy devices include, but are not limited to, the access control equipment 130.
  • the second user device 120 determines whether establishment of a real-time communication session is allowed between the first user device 110 and the second user device 120. Determining whether establishment of a real-time communication session is allowed may be based on an identity of the first user device 110 and/or an identity of the user of the first user device 110. For example, establishment of a real-time communication session may not be allowed if it is determined that the user of the first user device 110 is the same as the user of the second user device 120. In other words, establishment of a real-time communication session may not be allowed if the user of the second user device 120 is self-authenticating using another of their own user devices, namely the first user device 110.
  • the second user device 120 may cause data comprising a one-time passcode to be transmitted from the access control equipment 130 to the first user device 110.
  • the data comprising the one-time passcode is transmitted from the access control equipment 130 to the first user device 110 in response to a determination that establishment of a real-time communication session is not allowed between the first user device 110 and the second user device 120.
  • the second user device 120 causes the data comprising the one-time passcode to be transmitted from the access control equipment 130 to the first user device 110 in response to receiving user input at the second user device 120.
  • the data comprising the one- time passcode is transmitted from the access control equipment 130 to the first user device 110 in response to receiving user input at the first user device 110.
  • the user input at the second user device 120 and/or the user input at the first user device 110 may include an indication that passcode-mediated authentication is preferred.
  • the second user device 120 receives data comprising a one- time passcode from at least one data processing entity in the group of data processing entities 400.
  • the second user device 120 may receive the data comprising the one-time passcode from the first user device 110.
  • the data comprising the one-time passcode may be received in various different ways from the first user device 110.
  • the data comprising the one-time passcode may be received via SMS, e-mail, etc.
  • the one-time passcode is conveyed from the user of the first user device 110 to the user of the second user device 120 via a real-time communication session.
  • the second user device 120 may receive the data comprising the one-time passcode based on user input received via a user interface associated with the second user device 120.
  • the second user device 120 may output data comprising the one-time passcode for transmission to at least one data processing entity in the group of data processing entities 400. In some examples, the second user device 120 outputs the data comprising the one-time passcode for transmission to the access control equipment 130.
  • the second user device 120 receives data for display to the user of the second user device 120.
  • the data may represent an image relating to the authentication request.
  • the data representing the image may be received from the access control equipment 130.
  • the image relating to the authentication request may indicate the at least one resource to which access is requested.
  • the image relating to the authentication request is associated with a one-time passcode.
  • the second user device 120 receives data indicating whether or not the user of the second user device 120 has been authenticated.
  • the data may additionally or alternatively indicate whether access to at least one resource has been granted or denied for the user of the second user device 120.
  • the data may provide an indication that one or more further authentication procedures are required before access to the at least one resource can be granted.
  • the one or more further authentication procedures may involve, for example, the user of the second user device 120 providing one or more physical or digital keys and/or biometric data. Examples of physical or digital keys include, but are not limited to, smartcards, USB tokens, passwords, etc.
  • the data may be received from one or more further entities (not shown) associated with at least one resource.
  • the access control equipment 130 may inform the one or more further entities of the result of the comparison it makes between the received authentication response data and the expected authentication response data and the one or more further entities may decide whether or not to allow access to the one or more resources which with they are associated based on the information provided by the access control equipment 130.
  • FIG. 6 there is shown schematically an example of a data communication system 200 which corresponds to the data communication system 200 shown in Figures 2 and 4, with like items shown using like reference signs.
  • the first user device 110 and the second user device 120 are considered to form part of a group 600 of data processing entities, from the perspective of the access control equipment 130.
  • FIG 7 there is shown a signalling diagram depicting an example of a method 700 of facilitating access control relating to at least one resource.
  • the method 700 may be employed in a data communication system 200 such as that depicted in Figure 6 and described above, which includes an access control equipment 130 and a group 600 of data processing entities, the group 600 of data processing entities comprising a first user device 110 and a second user device 120.
  • the access control equipment 130 transmits first and second input data to at least one data processing entity in the group 600 of data processing entities.
  • the first and the second input data may be transmitted via the one or more communication channels 170 connecting the access control equipment 130 to the one or more data communication networks 140.
  • the first and the second input data may be transmitted by the access control equipment 130 in separate data payloads or as separable parts of a single data payload.
  • the access control equipment 130 also transmits further data to at least one data processing entity in the group 600 of data processing entities.
  • the further data may include third input data and/or fourth input data.
  • the access control equipment 130 receives authentication response data from at least one data processing entity in the group of data processing entities 600.
  • the authentication response data may be received via the one or more communication channels 170.
  • the authentication response data is received via one or more communication channels separate from the one or more communication channels 170.
  • the authentication response data Prior to being received by the access control equipment 130, the authentication response data is derived at the first user device 110 by the first user device 110 performing an authentication response operation.
  • the authentication response operation has, as inputs, processed first input data having been obtained by the second user device 120 using a data processing element 230 located at the second user device 120, processed second input data having been obtained by the first user device 110 using a data processing element 220 located at the first user device 110, and data indicative of a result of an authentication decision made by a user of the first user device 110.
  • At least one of the inputs to the authentication response operation may be associated with a given authentication request and may vary between different authentication requests.
  • the access control equipment 130 may be configured to vary at least one of the inputs to the authentication response operation. At least one of the inputs to the authentication response operation may be varied non-deterministically, according to some examples.
  • the access control equipment 130 may transmit a nominee list to the second user device 120.
  • the nominee list comprises data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the second user device 120.
  • the at least one authorised user device includes at least the first user device 110.
  • the access control equipment 130 determines an availability of the at least one authorised user device.
  • the availability of a given authorised user device may indicate whether the given authorised user device is currently online.
  • the availability of a given authorised user device indicates whether the given authorised user device is able to participate in a real-time communication session with the second user device 120.
  • Data may be transmitted to the second user device 120 indicating only those authorised user devices that are determined to be available.
  • the nominee list may be transmitted by the access control equipment 130 in response to receiving a request from the second user device 120 relating to access to at least one resource.
  • the access control equipment 130 may receive data indicating a selection of a preferred authorised user device from the second user device 120.
  • the access control equipment 130 may transmit data to the first user device 110 indicating that the user of the second user device 120 is requesting accessing to the resource, and/or that the user of the second user device 120 requires authentication to be performed.
  • the user of the first user device 110 may be given a predetermined amount of time to respond to such an authentication request.
  • the access control equipment 130 transmits data to the second user device 120 indicating that the first user device 110 has been contacted.
  • the access control equipment 130 may notify the user of the second user device 120 accordingly. If the user of the first user device 110 indicates a willingness to perform authentication for the user of the second user device 120, a communication identifier associated with the first user device 110 may be transmitted from the first user device 110. In some examples, the communication identifier is transmitted to the second user device 120. For example, the first user device 110 may look up a communication identifier associated with the second user device 120 in its memory and transmit the communication identifier associated with the first user device 110 to the second user device 120 using the looked-up communication identifier of the second user device 120. In some examples, the communication identifier is transmitted to the access control equipment 130. The communication identifier may be used to facilitate establishment a communication session between the first user device 110 and the second user device 120.
  • the access control equipment 130 transmits data comprising a one-time passcode to at least one data processing entity in the group of data processing entities 600.
  • the data comprising the one-time passcode may be transmitted to the first user device 110.
  • the access control equipment 130 receives data comprising the one-time passcode from at least one data processing entity in the group of data processing entities 600.
  • the data comprising the one-time passcode may be received from the second user device 120.
  • the access control equipment 130 determines an authentication result based on a comparison of the received authentication response data with expected authentication response data. As described above, the access control equipment 130 is aware of the various parameters that should have been used by the first user device 110 and the second user device 120 during the authentication procedure for a given authentication request, for example the data processing elements 220, 230, the first input data and the second input data, etc. The access control equipment 130 may therefore determine what authentication response data should be received if the authentication procedure has been performed, and the result relayed, securely.
  • the access control equipment 130 performs an access control operation relating to at least one resource for the second user device 120 based on the determined authentication result.
  • the access control operation comprises granting access to at least one resource for the second user device 120.
  • the access control operation may comprise denying access to the at least one resource for the second user device 120.
  • the access control operation comprises causing data to be transmitted to the second user device 120.
  • the data transmitted to the second user device 120 may provide an indication that access to the at least one resource is granted. Additionally or alternatively, the data transmitted to the second user device 120 may provide an indication that access to the at least one resource is denied.
  • the data transmitted to the second user device 120 provides an indication that one or more further authentication procedures are required before access to the at least one resource can be granted.
  • the access control operation comprises causing data to be transmitted to one or more further entities (not shown).
  • the data transmitted to the one or more further entities may, for example, indicate a recommendation relating to access to the at least one resource.
  • the data transmitted to the one or more further entities may provide an indication that access to the at least one resource should be granted to the second user device 120.
  • the data transmitted to the one or more further entities provides an indication that access to the at least one resource should be denied to the second user device 120.
  • the data transmitted to the one or more further entities provides an indication that one or more further authentication procedures should be performed before access is granted to the second user device 120.
  • the access control equipment 130 is operable to perform an access control operation based solely on the comparison of the received authentication response data with the expected authentication response data. In some examples, the access control equipment 130 is configured to grant access to at least one resource for the second user device 120 on the sole condition that the received authentication response data is equal to the expected authentication response data. If the received authentication response data is not equal to the expected authentication response data, access to the at least one resource may be denied to the second user device 120. In some examples, a determination that the received authentication response data is not equal to the expected authentication response data may cause one or more further authentication processes to be initiated.
  • the access control equipment 130 relies on the authentication decision made by the user of the first user device 110, provided that the authentication decision is relayed to the access control equipment 130 securely, namely in the form of correct authentication response data.
  • the generation of the correct authentication response data is only possible if the correct data processing elements 220, 230 are used by the first user device 110 and the second user device 120 to process the correct first and second input data received from the access control equipment 130.
  • Generating the correct authentication response data is also dependent on the first input data taking the correct "path" through the data communication system 200. Only if the first input data is obtained by the second user equipment 120 using the correct data processing element 230 and then communicated to the first user device 110 can the first user device 110 derive the correct authentication response data.
  • the access control equipment 130 can, if the received authentication response data matches the expected authentication response data, be safely assured that the expected first user device 110 and second user device 120 were used for authentication and that data was transferred between them in an expected manner.
  • the generation of the correct authentication response data may also only be possible if a positive authentication decision has been made by the user of the first user device 110.
  • the generation of the correct authentication response data may only be possible if the authentication decision made by the user of the first user device 110 is translated using the correct response translation element.
  • the access control equipment 130 knows what authentication response data should result from an authentication response operation performed by the first user device 110. If the output data received from the first user device 110 matches the expected output data, the access control equipment 130 can determine that the authentication process has been carried out, and the result relayed to the access control equipment 130, securely. Consequently, the access control equipment 130 can cede authority on the authentication decision to the user of the first user device 110. By effectively surrendering the responsibility of providing an authentication decision to a user in the data communication system 200, the liability of a controlling authority, e.g.
  • a bank or any other holder of resources which have restricted access may be reduced.
  • the result of the authentication decision may be made more reliable and/or more accurate.
  • Interacting with a user in a secure real-time communication session provides an effective way to recognise and authenticate that user, whether by seeing their face, hearing their voice, holding a conversation with them, etc.
  • human-mediated authentication instead of known password-orientated authentication, the burden of choosing and remembering multiple digital keys and passwords may be reduced.
  • biometric data is not stored at any entity involved in authentication, the potential risks associated with storing biometric data, particularly with regard to theft via hacking or other such subterfuge, are reduced. Consequently, security in the authentication procedure may be improved.
  • Security may be further enhanced by virtue of polymorphic variation within the authentication procedure.
  • One or several factors may vary between different authentication requests. These factors include, but are not limited to, the first and the second input data, the data processing element 220 used by the first user device 110 and the data processing element 230 used by the second user device 120. These factors may also include further input data, the response translation element and the authorised user device selected to perform authentication. Each of these factors may vary non- deterministically. Consequently, even if one or several of these factors were intercepted or stored by a third party during a given authentication request, the third party would not be able to generate the correct authentication response data to match the expected authentication response data for a subsequent authentication request, as the expected authentication response data changes, for example on every occasion. Therefore, man- in-the-middle and replay-type attacks which rely on behavioural consistency may be prevented and authentication performed more securely.
  • FIG 8 there is shown a signalling diagram depicting an example of a method 800 of facilitating access control relating to at least one resource.
  • the method 800 may be employed in a data communication system 200 such as that depicted in Figures 2, 4 and 6 and described above, which includes a first user device 110, a second user device 120 and an access control equipment 130.
  • the first user device 110 is used to perform authentication relating to a user of the second user device 120.
  • the second user device 120 may be associated with a request for access to a resource. Access to the resource is controlled by the access control equipment 130.
  • the first user device 110 facilitates the control of access to the resource.
  • the access control equipment 130 transmits first input data to the second user device 120.
  • the access control equipment 130 also transmits further data to the second user device 120.
  • the further data may include third input data.
  • the further data may alternatively or additionally include fourth input data.
  • the access control equipment 130 transmits second input data to the first user device 110.
  • the access control equipment 130 also transmits further data to the first user device 110.
  • the further data may include third input data.
  • the further data may alternatively or additionally include fourth input data.
  • the second user device 120 processes the first input data received at item S8a using the data processing element 230 located at the second user device 120 to obtained processed first input data.
  • the second user device 120 transmits the processed first input data to the first user device 110. In some examples, the second user device 120 also transmits the third input data and/or the fourth input data to the first user device 110.
  • the first user device 1 10 processes the second input data received at item S8b using the data processing element 220 located at the first user device 110 to obtain processed second input data.
  • a real-time communication session is established between the first user device 110 and the second user device 120.
  • the real-time communication session allows the user of the first user device 110 to make a decision on the authenticity of the user of the second user device 120.
  • the first user device 110 performs an authentication response operation to derive authentication response data.
  • the authentication response operation has as inputs the processed first input data received at item S8a, the processed second input data obtained at item S8e, and data indicative of a result of an authentication decision made by a user of the first user device 110.
  • the first user device 110 outputs the authentication response data for transmission to the access control equipment 130.
  • the authentication response data is transmitted by the first user device 110 to the second user device 120.
  • the second user device 120 then forwards the authentication response data to the access control equipment 130.
  • the access control equipment 130 compares the received authentication response data with expected authentication response data.
  • the access control equipment 130 is able to perform an access control operation to control access to at least one resource for the second user device 120 based on the result of the comparison.
  • FIG. 9 there is shown a signalling diagram depicting an example of a method 900 of facilitating access control relating to at least one resource.
  • the method 900 may be employed in a data communication system 200 such as that depicted in Figures 2, 4 and 6 described above, which includes a first user device 110, a second user device 120 and an access control equipment 130.
  • the access control equipment 130 transmits data to the second user device 120 indicating at least one user device authorised to be used to facilitate authentication relating to a user of the second user device 120.
  • the data indicating at least one authorised user device may comprise a nominee list.
  • the nominee list may be associated with a given authentication request.
  • data indicating only those authorised user devices that are available, for example currently able to participate in a communication session with the second user device 120 is transmitted to the second user device 120.
  • the data indicating at least one authorised user device may be transmitted in response to receiving a request relating to the at least one resource from the second user device 120.
  • the second user device 120 receives user input indicating a selection of a preferred authorised user device from the received nominee list.
  • the second user device 120 transmits data indicating the preferred authorised user device to the access control equipment 130.
  • the preferred authorised user device is the first user device 110.
  • the access control equipment 130 transmits data to the first user device 110.
  • the data indicates that an authentication decision relating to the user of the second user device 120 is requested.
  • the first user device 110 receives user input indicating that the user of the first user device 110 is willing to provide an authentication decision relating to the user of the second user device 120.
  • the first user device 110 transmits a communication identifier associated with the first user device 110 to the access control equipment 130. In other examples, the first user device 110 transmits the communication identifier to the second user device 120.
  • the access control equipment 130 transmits first input data to the second user device 120.
  • the access control equipment 130 transmits second input data to the first user device 110.
  • the second user device 120 processes the first input data using the data processing element 230 located at the second user device 120 to obtain processed first input data.
  • the second user device 120 transmits the processed first input data to the first user device 110.
  • the second user device 120 may transmit the processed first input data to the first user device 110 based on the communication identifier associated with the first user device 110.
  • the second user device 120 may additionally transmit further input data to the first user device 110.
  • the first user device 110 processes the second input data using the data processing element 220 located at the first user device 110 to obtain processed second input data.
  • the first user device 110 performs an authentication response operation to derive authentication response data.
  • the authentication response operation receives as inputs the processed first input data, the processed second input data, and data indicative of a result of an authentication decision made by a user of the first user device 110.
  • the first user device 110 transmits the authentication response data to the access control equipment 130.
  • the access control equipment 130 compares the received authentication response data with expected authentication response data for the given authentication request.
  • the access control equipment 130 transmits data to the second user device 120.
  • the transmitted data indicates whether or not the second user device 120 has been granted access to the at least one resource based on the comparison performed at item S9n.
  • the secure framework 1000 involves a first user device 110, a second user device 120 and an access control equipment 130, as described above.
  • the first user device 110 includes a first data processing element 220.
  • the second user device 120 includes a second data processing element 230.
  • the access control equipment 130 transmits data 1010 to the second user device 120.
  • the data 1010 includes pre-processed first input data, eSA 1 , and third input data, eSB 1 .
  • the pre-processed first input data, eSA 1 , and the third input data, eSB 1 are encrypted.
  • the access control equipment 130 transmits data 1020 to the first user device 110.
  • the data 1020 includes second input data, eSA 2 , and fourth input data, eSB 2 .
  • the second input data, eSA 2 , and the fourth input data, eSB 2 are encrypted.
  • the second user device 120 processes the pre-processed first input data, eSA 1 , using the second data processing element 230 located at the second user device 120 to obtain processed first input data, SA 1 .
  • the second data processing element 230 may be a decryption key, K(eSA 1 ) and the processing of the pre-processed first input data, eSA 1 , may involve decrypting the first input data, eSA 1 , using the decryption key K(eSA 1 ). Consequently, the processed first input data may comprise decrypted first input data, SA 1 .
  • the third input data, eSB 1 is not processed using the data processing element 230 in this example.
  • the second user device 120 transmits data 1025 to the first user device 1 10.
  • Data 1025 includes the decrypted first input data, SA 1 , and the third input data, eSB 1 .
  • the first user device 1 10 processes the second input data, eSA 2 , using the first data processing element 220 located at the first user device 110 to obtain processed second input data, SA 2 .
  • the first data processing element 220 may be a decryption key, K(eSA 2 ), and the processing of the second input data, eSA 2 , may involve decrypting the second input data, eSA 2 , using the decryption key K(eSA 2 ). Consequently, the processed second input data may comprise decrypted second input data, SA 2 .
  • the first user device 110 combines the received decrypted first input data, SA 1 , and the decrypted second input data, SA 2 , to derive combined decrypted input data 1030.
  • the combined decrypted input data 1030 is input to one or more algorithms 1035 to derive a first authentication data element 1040.
  • the first authentication data element 1040 may comprise a decryption key, K.
  • the first user device 110 also combines the received third input data, eSB 1 , with the fourth input data, eSB 2 to derive combined encrypted data 1050.
  • the combined encrypted data 1050 is input to one or more algorithms 1060.
  • the one or more algorithms 1060 may be the same as or different from the one or more algorithms 1035.
  • the first authentication data element 1040 is also input to the one or more algorithms 1060 to derive a second authentication data element 1070.
  • the second authentication data element 1070 may be a verification code, V CO de.
  • Using the one or more algorithms 1060 to derive the second authentication data element 1070 may involve using the decryption key, K, to decrypt the combined encrypted data 1050.
  • K decryption key
  • the second authentication data element 1070 may therefore based on the decrypted combined data 1050.
  • the second authentication data element 1070 is input to one or more algorithms 1080.
  • the one or more algorithms 1080 may be the same as or different from the one or more algorithms 1035 and/or the one or more algorithms 1060.
  • Data, infoAUTH, indicative of a result of an authentication decision made by the user of the first user device 110 is also input to the one or more algorithms 1080 to derive authentication response data, ResponseAirra, 1090.
  • a message authentication code (MAC) may also be input to the one or more algorithms 1080 to derive the authentication response data 1090.
  • the MAC may be constructed using a cryptographic hash function.
  • the authentication response data 1090 may be transmitted by the first user device 110 to the access control equipment 130 to enable the access control equipment to perform an access control operation relating to one or more resources, as described above. Since the access control equipment 130 is aware of the various parameters used as part of the secure framework, for example the first, second, third and fourth input data, the first and second data processing elements 220, 230, etc., the access control equipment 130 can determine what authentication response data 1090 should result from the secure authentication process. Therefore, if the authentication response data 1090 matches expected authentication response data for a given authentication request, the access control equipment 130 is assured that data has been processed and relayed securely.
  • the data communication system 1100 includes a plurality of user devices.
  • user device 1110 is a user device requesting access to at least one resource.
  • user device 1110 may be the second user device 120 as described above.
  • Each of the associated user devices 1111, 1112, 1113, 1114, 1115, 1116, 1117 and 1118 may be authorised to perform authentication for a user of the second user device 1110 for a given authentication request.
  • user devices 1111, 1114, 1115, 1117 and 1118 are available for performing authentication, in other words they are online and/or are able to participate in a communication session.
  • User devices 1112, 1113 and 1116 are not available for performing authentication, in other words they are offline and/or are unable to participate in a communication session.
  • the second user device 1110 receives a list of candidates for performing authentication.
  • the list of candidates is displayed to a user of the second user device 1110.
  • the user of the second user device 1110 may be known as the requesting user.
  • the list of candidates comprises information relating to each available authorised user device.
  • the list of candidates comprises the names of one or more users of each available authorised user device.
  • the list of candidates is associated with a given authentication request.
  • the list of candidates varies between different authentication requests. The requesting user may select a chosen candidate from the list of available candidates. The chosen candidate may then perform authentication as described above.
  • the user devices and/or the users of the user devices which are authorised to perform authentication for a given authentication request may be known by the requesting user.
  • the authorised users may comprise friends, relatives, colleagues or other individuals from within the social circle of the requesting user.
  • the authorised users may therefore be said to form a "trust circle” for the requesting user.
  • These users may be "trusted” to perform authentication for the requesting user. Consequently, an access control equipment 130 or other entity tasked with determining whether to grant access to a requested resource can delegate the responsibility of making the authentication decision to the "trusted" user.
  • One or more members of the requesting user's "trust circle” may additionally possess their own “trust circle” of users.
  • user devices 1119, 1120 and 1121 are authorised to perform authentication for the user of user device 1118.
  • the users of user devices 1119, 1120 and 1121 may therefore be said to form part of the "trust circle” of the user of user device 1118.
  • user devices 1119 and 1121 are available, for example online, and user device 1120 is unavailable, for example offline.
  • users and/or user devices which are not directly connected to a requesting user may still be authorised to perform authentication relating to the requesting user.
  • the users of user devices 1119, 1120 and 1121 may be authorised to perform authentication for the user of the second user device 1110, even though they are not within the immediate "trust circle" of the user of user device 1110.
  • information relating to the "trust circle” for a given user is stored at the user device of the given user.
  • details of user devices 1111, 1112, 1113, 1114, 1115, 1116, 1117 and 1118 may be located at user device 1110.
  • information relating to the "trust circle” for a given user is stored remotely, for example at the access control equipment 130.
  • a user and/or a user device is registered with an access control equipment before the user and/or the user device can be authorised to perform authentication.
  • the user and/or user device may be nominated for registration by a requesting user.
  • the requesting user may already be registered with the access control equipment.
  • the user and/or user device may be nominated for registration by the access control equipment 130.
  • the access control equipment 130 may determine one or more appropriate users to nominate for registration for a given requesting user.
  • the user and/or user device may be placed in a "trust circle" for the given requesting user, and may, if selected by the requesting user, be given the authority to make authentication decisions for the requesting user.
  • one or more members of the requesting user's "trust circle" of authorised user devices are user devices belonging to the requesting user.
  • the requesting user may be able to nominate one of his/her own user devices to be authorised to perform authentication for another of his/her own user devices.
  • the requesting user's nominated user device in other words the "secondary" user device, may be registered with the access control equipment 130 using a one-time passcode, a Quick Response (QR) code, a near field communication (NFC) system, etc.
  • a trust baseline is created between a user and the access control equipment 130 or one or more further entities.
  • the one or more further entities may include a business, for example an online bank.
  • the trust baseline may be created using a best practice authentication method to register the user on one of the user's preferred devices.
  • the trust baseline may be created through the use of one or more physical or digital keys.
  • User-mediated authentication may be adopted by the one or more further entities, without the need for a multi-factor authentication model to be in place.
  • the starting trust baseline for user-mediated authentication effectively represents the limits of current authentication technology, excluding the use of biometrics, which carry inherent risks as described above.
  • the user can liaise with the user's "trust circle(s)" and/or the one or more further entities to register other devices and/or users.
  • the registration of other devices and/or users may be mediated by the access control equipment 130.
  • identity verification nominees accept a nomination and are subsequently approved by a user as valid, the nominees may register additional devices they use and, in turn, the identity verification nominees may nominate their own identity verification nominees.
  • This social network may be managed by the access control equipment 130.
  • the social network may be independent of any individual business entity. Users may therefore nominate individuals not directly associated with the business in question. A given business may therefore benefit from a user's nominated authenticity verification "trust circle” without bearing the cost and/or responsibilities of performing user authentication themselves.
  • a user entering into a new relationship with a given business can permit the given business to make use of the user's pre-existing authentication "trust circles”.
  • Authentication may be brokered between a user and a business in realtime, resulting in the business receiving a secure authentication approval or rejection message, based on the response and/or decision of the user' s own authenticity nominees and/or the user's own approved secondary device(s).
  • a given business can qualify a user' s acceptance of responsibility to participate in user-mediated authentication, for example by presenting the user with terms and conditions.
  • FIG. 12 there is shown schematically an example of a graphical user interface 1200.
  • the graphical user interface 1200 is associated with the second user device 1110.
  • a nominee list 1205 is obtained by the second user device 1110.
  • the nominee list 1205 may be received from the access control entity 130.
  • the nominee list 1205 is displayed to the user of the second user device 1110 via the graphical user interface 1200.
  • the nominee list 1205 comprises information indicating one or more user devices that are authorised to perform authentication relating to the user of the second user device 1110.
  • the nominee list 1205 comprises information indicating only those authorised user devices that are available, in other words online and/or able to participate in a communication session.
  • the nominee list 1205 may comprise information indicating both available and unavailable authorised user devices.
  • the nominee list 1205 may additionally include information indicating whether a given authorised user device is available or unavailable.
  • the nominee list 1205 comprises one or more fields to allow the user of the second user device 1110 to nominate a new user device, in other words a user device not presently authorised to perform authentication relating to the user of the second user device 1110.
  • the nominee list 1205 displayed to the user of the second user device 1110 comprises information indicating user devices 1111, 1114, 1115, 1117 and 1118.
  • at least one of user devices 1111, 1114, 1115, 1117 and 1118 may be associated with the user of the second user device 1110.
  • the user of the user device upon which the nominee list 1205 is displayed may be the same as the user of one or more of the user devices included in the nominee list 1205.
  • the information indicating a given authorised user device may comprise the name of a user of the given authorised user device.
  • the information indicating a given authorised user device comprises an indication of one or more communication capabilities of the given authorised user device. For example, whether or not a given authorised user device is capable of participating in a real-time video and/or voice call may be indicated.
  • the information indicating a given authorised user device comprises indication of whether the given authorised user device is online.
  • a user of the user device upon which the nominee list 1205 is displayed can select a preferred authorised user device to facilitate authentication.
  • the selection may be received at the user device via user input, for example using a touchscreen, mouse, keyboard and/or automatic voice recognition, etc.
  • Data indicating the selection of the preferred authorised user device may be transmitted to the access control equipment 130 to facilitate the establishment of one or more communication sessions between the preferred authorised user device and the user device upon which the nominee list 1205 is displayed.
  • a user of the user device upon which the nominee list 1205 is displayed can select more than one preferred authorised user device.
  • a preferred authorised user device to facilitate authentication is selected by the access control equipment 130.
  • the access control equipment 130 may select a preferred authorised user device based on one or more authority constraints.
  • the one or more authority constraints may provide an indication of a required authority level of an authorising user for a given authentication request.
  • the one or more authority constraints may include rules, roles and/or filters.
  • the one or more authority constraints may include a requirement that more than one authorised user device performs authentication for a given user and/or for a given authentication request.
  • the one or more authority constraints may be configured by and/or supplied by one or more further entities, for example an e-Business, online bank, etc.
  • the access control equipment 130 may transmit data indicating the selection of the preferred authorised user to the user device upon which the nominee list 1205 is displayed.
  • the user of the user device upon which the nominee list 1205 is displayed may then be requested to confirm the selection of the preferred authorised user device.
  • the user of the user device upon which the nominee list 1205 is displayed and the access control equipment 130 cooperate to select a preferred authorised user device to facilitate authentication.
  • the user of the user device upon which the nominee list 1205 is displayed may select two users, Fl and F2, who are known to the user of the user device upon which the nominee list 1205 is displayed.
  • the access control equipment 130 may determine whether each of the selected users, Fl and F2, has a registered device which is available and/or authorised to facilitate authentication.
  • the access control equipment 130 may, for example, determine that user Fl has an available and authorised smartphone device, whereas user F2 does not have an authorised device available.
  • the access control equipment 130 may therefore select the device of user F 1 as the preferred authorised user device to facilitate authentication.
  • the access control equipment 130 transmits data to the user device upon which the nominee list 1205 is displayed, the data indicating that user Fl, but not user F2, is able to facilitate authentication.
  • the access control equipment 130 may notify the one or more further entities accordingly.
  • the access control equipment 130 may notify the one or more further entities using a secure message.
  • the one or more further entities may then decide whether to use an alternative authentication method for the given authentication request, or whether to reject the given authentication request.
  • FIG. 13 there is shown schematically an example of an apparatus 1300.
  • the apparatus 1300 is data processing equipment.
  • data processing equipment include, but are not limited to, a mobile computer, a personal computer system, a wireless device, base station, phone device, user device, access control equipment, desktop computer, laptop, notebook, netbook computer, mainframe computer system, handheld computer, workstation, network computer, application server, storage device, a consumer electronics device such as a camera, camcorder, mobile device, video game console, handheld video game device, a peripheral device such as a switch, modem, router, etc., or in general any type of computing or electronic device.
  • the apparatus 1300 comprises one or more processors 1301 configured to process information and/or instructions.
  • the one or more processors 1301 may comprise a central processing unit (CPU).
  • the one or more processors 1301 are coupled with a bus 1302. Operations performed by the one or more processors 1301 may be carried out by hardware and/or software.
  • the one or more processors 1301 may comprise multiple co-located processors or multiple disparately located processors.
  • the apparatus 1300 comprises computer-useable volatile memory 1303 configured to store information and/or instructions for the one or more processors 1301.
  • the computer-useable volatile memory 1303 is coupled with the bus 1302.
  • the computer-useable volatile memory 1303 may comprise random access memory (RAM).
  • the apparatus 1300 comprises computer-useable non-volatile memory 1304 configured to store information and/or instructions for the one or more processors 1301.
  • the computer-useable non-volatile memory 1304 is coupled with the bus 1302.
  • the computer-useable non-volatile memory 1304 may comprise read-only memory (ROM).
  • the apparatus 1300 comprises one or more data-storage units
  • the one or more data-storage units 1305 are coupled with the bus 1302.
  • the one or more data- storage units 1305 may for example comprise a magnetic or optical disk and disk drive or a solid-state drive (SSD).
  • the apparatus 1300 comprises one or more input/output (I/O) devices 1306 configured to communicate information to and/or from the one or more processors 1301.
  • the one or more I/O devices 1306 are coupled with the bus 1302.
  • the one or more I/O devices 1306 may comprise at least one network interface.
  • the at least one network interface may enable the apparatus 1300 to communicate via one or more data communications networks. Examples of data communications networks include, but are not limited to, the Internet and a LAN.
  • the one or more I/O devices include, but are not limited to, the Internet and a LAN.
  • the one or more input devices may include for example a remote control, one or more physical buttons etc.
  • the one or more I/O devices 1306 may enable information to be provided to a user via one or more output devices (not shown).
  • the one or more output devices may for example include a display screen.
  • an operating system 1307, data processing module 1308, one or more further modules 1309, and data 1310 are shown as residing in one, or a combination, of the computer-usable volatile memory 1303, computer-usable non- volatile memory 1304 and the one or more data-storage units 1305.
  • the data processing module 1308 may be implemented by way of computer program code stored in memory locations within the computer-usable non- volatile memory 1304, computer-readable storage media within the one or more data-storage units 1305 and/or other tangible computer-readable storage media.
  • tangible computer-readable storage media include, but are not limited to, an optical medium (e.g., CD-ROM, DVD-ROM), flash memory card, floppy or hard disk or any other medium capable of storing computer readable instructions such as firmware or microcode in at least one ROM or RAM or Programmable ROM (PROM) chips or as an Application Specific Integrated Circuit (ASIC).
  • the apparatus 1300 may therefore comprise a data processing module 1308 which can be executed by the one or more processors 1301.
  • the data processing module 1308 can be configured to include instructions to implement at least some of the operations described herein.
  • the one or more processors 1301 launch, run, execute, interpret or otherwise perform the instructions in the data processing module 1308.
  • examples described herein with reference to the drawings comprise computer processes performed in processing systems or processors
  • examples described herein also extend to computer programs, for example computer programs on or in a carrier, adapted for putting the examples into practice.
  • the carrier may be any entity or device capable of carrying the program.
  • apparatus 1300 may comprise more, fewer and/or different components from those depicted in Figure 13.
  • the apparatus 1300 may be located in a single location or may be distributed in multiple locations. Such locations may be local or remote.
  • the techniques described herein may be implemented in software or hardware, or may be implemented using a combination of software and hardware. They may include configuring an apparatus to carry out and/or support any or all of techniques described herein.
  • Various measures are provided to facilitate authentication at a user device relating to a user of at least one further user device.
  • the at least one further user device is in a data communication system.
  • the data communication system comprises a group of data processing entities.
  • the group of data processing entities comprises access control equipment and the at least one further user device.
  • First and second input data are received from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device.
  • the received second input data is processed using a second data processing element to obtain processed second input data.
  • the second data processing element is located at the user device.
  • An authentication response operation is performed to derive authentication response data.
  • the authentication response operation has as inputs the received first input data, the processed second input data, and data indicative of a result of an authentication decision made by a user of the user device.
  • the authentication decision relates to the user of the at least one further user device.
  • the derived authentication response data is outputted for transmission to at least one data processing entity in the group of data processing entities. Outputting the derived authentication response data enables the access control equipment to perform an access control operation.
  • the access control operation relates to at least one resource. The access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
  • the first input data may be received from the at least one further user device.
  • the second input data may be received from the access control equipment.
  • the second data processing element may be determined by cooperating with the access control equipment.
  • the derived authentication response data may be outputted for transmission to the access control equipment.
  • At least one of the inputs to the authentication response operation and/or the second data processing element may vary between at least some different authentication requests.
  • At least one of the inputs to the authentication response operation and/or the second data processing element may vary non-deterministically between at least some different authentication requests.
  • the authentication response operation may be performed by using at least the received first input data and the processed second input data to obtain a first authentication data element.
  • the first authentication data element may be used to derive the authentication response data.
  • the authentication response operation may be performed by using at least the first authentication data element and further input data received from at least one of the data processing entities in the group of data processing entities to derive the authentication response data.
  • the further input data may comprise third input data.
  • the third input data may be received from the at least one further user device.
  • the further input data may comprise fourth input data.
  • the fourth input data may be received from the access control equipment.
  • the authentication response operation may be performed by using the second authentication data element and at least one further data item to derive the authentication response data.
  • the at least one further data item may comprise data indicative of the result of the authentication decision.
  • the at least one further data item may comprise a message authentication code.
  • the second input data may be in an encrypted form when received by the user device.
  • the second data processing element may comprise a decryption key.
  • the second input data may be processed by decrypting the second input data using the decryption key.
  • At least one communication session may be established with the at least one further user device to facilitate the authentication of the user of the at least one further user device by the user of the user device.
  • the at least one communication session may comprise a real-time communication session.
  • the real-time communication session may be in accordance with Real-time
  • the real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
  • the at least one communication session may comprise a video call.
  • the at least one communication session may comprise a voice call.
  • the at least one communication session may be a peer-to-peer communication session.
  • a communication identifier may be outputted for transmission to at least one data processing entity in the group of data processing entities.
  • the communication identifier may be associated with the user device.
  • the communication identifier may be used to facilitate establishment of the at least one communication session with the at least one further user device.
  • the communication identifier associated with the user device may be outputted for transmission to the access control equipment.
  • Data indicative of the result of the authentication decision made by the user of the user device may be derived based on user input received via a user interface associated with the user device.
  • the user of the user device may be the same as the user of the at least one further user device.
  • Data comprising a one-time passcode may be received from at least one data processing entity in the group of data processing entities.
  • the data comprising the one-time passcode may be received from the access control equipment.
  • Data comprising the one-time passcode may be outputted for transmission to the at least one further user device.
  • the data communication system comprises a group of data processing entities.
  • the group of data processing entities comprises a first user device and at least one further user device.
  • First and second data are transmitted to at least one data processing entity in the group of data processing entities.
  • Authentication response data is received from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation.
  • the authentication response operation has as a first input first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment.
  • the authentication response operation has as a second input second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment.
  • the authentication response operation has as a third input data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device.
  • An authentication result is determined based on a comparison of the received authentication response data with expected authentication response data.
  • An access control operation relating to the at least one resource is performed based on the determined authentication result.
  • the first data may be transmitted to the at least one further user device.
  • the second data may be transmitted to the first user device.
  • the first data processing element and/or the second data processing element may be determined by cooperating with the first user device and/or the at least one further user device.
  • the authentication response data may be received from the first user device.
  • At least one of the inputs to the authentication response operation and/or the second data processing element may vary between at least some different authentication requests.
  • At least one of the inputs to the authentication response operation and/or the second data processing element may vary non-deterministically between at least one different authentication requests.
  • the first data and/or the second data may be transmitted to the at least one data processing entity in the group of data processing entities in encrypted form.
  • Establishment of at least one communication session between the first user device and the at least one further user device may be coordinated to facilitate the authentication of the user of the at least one further user device by the user of the first user device.
  • the at least one communication session may comprise a real-time communication session.
  • the real-time communication session may be in accordance with Real-time Communication, RTC.
  • the real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
  • the at least one communication session may comprise a video call.
  • the at least one communication session may comprise a voice call.
  • the at least one communication session may be a peer-to-peer communication session.
  • Establishment of the at least one communication session may be coordinated in response to receiving a communication identifier from at least one data processing entity in the group of data processing entities.
  • the communication identifier may be associated with the first user device.
  • the communication identifier associated with the first user device may be received from the first user device.
  • Data indicating at least one user device authorised to be used to facilitate the authentication relating to the user of the at least one further user device may be transmitted to the at least one further user device.
  • the at least one authorised user device may include at least the first user device.
  • Data indicating at least one user authorised to facilitate the authentication relating to the user of the at least one further user device may be transmitted to the at least one further user device.
  • the at least one authorised user includes at least the user of the first user device.
  • Availability of at least one authorised user and/or at least one authorised user device may be determined. Data identifying only those authorised users and/or authorised user devices that are determined to be available may be transmitted to the at least one further user device.
  • the user of the first user device may be the same as the user of the at least one further user device.
  • Data comprising a one-time passcode may be transmitted to at least one data processing entity in the group of data processing entities.
  • the data comprising the one-time passcode may be transmitted to the first user device.
  • the communication system comprises a group of data processing entities.
  • the group of data processing entities comprises at least one further user device and access control equipment.
  • First data is received from at least one data processing entity in the group of data processing entities.
  • the received first data is processed using a first data processing element located at the user device to obtain first input data.
  • the first input data is outputted for transmission to at least one data processing entity in the group of data processing entities.
  • Outputting the first input data allows the at least one further user device to perform an authentication response operation to derive authentication response data.
  • the authentication response operation has as a first input the first input data.
  • the authentication response operation has as a second input second input data obtained by the at least one further user device using a second data processing element located at the least one further user device.
  • the authentication response operation has a third input data indicative of a result of an authentication decision made by a user of the at least one further user device.
  • the authentication decision relates to a user of the user device.
  • the access control equipment is able to perform an access control operation relating to the at least one resource.
  • the access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
  • the first data may be received from the access control equipment.
  • the first input data may be outputted for transmission to the at least one further user device.
  • the first data processing element may be determined by cooperating with the access control equipment.
  • At least one of the inputs to the authentication response operation and/or the first data processing element may vary between at least some different authentication requests.
  • At least one of the inputs to the authentication response operation and/or the first data processing element may vary non-deterministically between at least some different authentication requests.
  • the first data may be in an encrypted form when received by the user device.
  • the first data processing element may comprise a decryption key.
  • the first data may be processed by decrypting the first input data using the decryption key.
  • At least one communication session may be established with the at least one further user device to facilitate the authentication of the user of the user device by at least one user of the at least one further user device.
  • the at least one communication session may comprise a real-time communication session.
  • the real-time communication session may be in accordance with Real-time Communication, RTC.
  • the real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
  • the at least one communication session may comprise a video call.
  • the at least one communication session may comprise a voice call.
  • the at least one communication session may be a peer-to-peer communication session.
  • the at least one communication session may be established in response to receiving at least one communication identifier from at least one data processing entity in the group of data processing entities.
  • the at least one communication identifier may be associated with the at least one further user device.
  • the at least one communication identifier associated with the at least one further user device may be received from the at least one further user device.
  • the at least one communication identifier associated with the at least one further user device may be received from the access control equipment.
  • Data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the user device may be obtained for display to the user of the user device.
  • the at least one authorised user device may include the at least one further user device.
  • Data indicating at least one user authorised to facilitate authentication relating to the user of the user device may be obtained for display to the user of the user device.
  • the at least one authorised user may include the user of the at least one further user device.
  • Data indicating only those authorised users and/or authorised user devices that are available for communication may be obtained for display.
  • the user of the user device may be the same as the user of the at least one further user device.
  • the user device may determine whether establishment of a real-time communication session is allowed between the user device and the at least one further user device. The determination may be based on an identity of the at least one further user device.
  • Establishment of a real-time communication session may not be allowed if the user of the user device is the same as the user of the at least one further user device.
  • Data comprising a one-time passcode may be outputted for transmission to at least one data processing entity in the group of data processing entities. Outputting the data comprising the one-time passcode may be based on receiving user input at the user device.
  • the data comprising the one-time passcode may be outputted for transmission to the access control equipment.
  • the data comprising the one-time passcode may be outputted in response to receiving data comprising the one-time passcode from the at least one further user device.
  • authentication is performed in relation to a user of a user device by a user of another user device. In some examples, authentication is performed in relation to a user of a user device by one or more users of one or more further user devices. Using multiple users and/or further user devices to perform authentication may increase the likelihood of the correct authentication decision being made by the authentication users. For example, where multiple users have independently authenticated a given user, the access control equipment 130 may have an increased confidence that the given user has been correctly authenticated. In some examples, multi-party multi-device authentication verification is enabled. Step-up role rules may be used, for example in instances where a given authentication request requires one or more secondary authentication decisions from particular users. The step- up role rules may be configured and/or supplied by a given business entity.
  • the step-up role rules may be configured and/or supplied by one or more account administrators.
  • the step-up role rules may be associated with a given authentication request. For example, a transaction relating to a first amount of money requires authentication from a supervising user, whereas a transaction relating to a second amount of money, greater than the first amount of money, requires authentication from a company chief financial officer (CFO) and/or chief executive officer (CEO). If conventional authentication were used, and the CFO and/or the CEO did not have their conventional business-supplied passcode generators to hand, the given transaction would probably not be paid.
  • CFO company chief financial officer
  • CEO chief executive officer
  • Using user-mediated authentication means that arbitrary constraints imposed by requiring access to specific passcode generating hardware or using sensitive mobile/browser banking apps in untrusted environments need not be applied.
  • participant honesty is scored, rated and/or regulated to allow a business to determine whether a user is acceptable for user-mediated authentication.
  • the business can determine user acceptability using any appropriate metric or decision- making procedure.
  • Secure user-mediated authentication may be provided to businesses and/or individual users via software adapters, plugins, browsers, mobile applications, software development kits for third party applications, etc.
  • the linking of social network schematics with "trust circles” of authenticity verification nominees and/or their devices, together with rule and role based nominee selection, is well suited to multiparty authentication models such as corporate and conventional multi-signatory accounts, without the inherent constraints, particularly in the area of online banking, that all participants may be required to have a relationship with the bank in question.
  • user-mediated authentication frees the business or banking entity from the liabilities and costs associated with business-mediated authentication, while affording users a more natural real-world trust-centric authentication model that is portable across different businesses and business relationships and is inherently more secure than conventional authentication and transaction approval systems, without incurring the inherent risks associated with biometrics.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A user device (110) facilitates authentication relating to a user of a further user device (120). The user device (110) receives first and second input data and processes the second input data using a second data processing element (220) located in the user device (110) to obtain processed second input data. The first input data is obtained by the further user device (120) using a first data processing element (230) located in the further user device (120). The user device (110) performs an authentication response operation to derive authentication response data. The operation has as inputs the first input data, the processed second input data and data indicative of a result of an authentication decision made by a user of the user device (110). The user device (110) outputs the authentication response data to enable access control equipment (130) to perform an access control operation.

Description

METHODS. USER DEVICES. ACCESS CONTROL EQUIPMENTS. COMPUTER SOFTWARE. COMPUTER PROGRAM PRODUCTS AND SYSTEMS FOR FACILITATING AUTHENTICATION OR ACCESS CONTROL Technical Field
The present invention relates to methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control. Background
User authentication is an important aspect of access control in many physical and digital systems.
Some known user authentication systems rely on the provision of credentials (for example a username and password) which are compared to stored credentials. An authentication decision is made based on such a comparison. Such authentication systems are susceptible to interception and exploitation, for example by man-in-the- middle attacks.
Some known systems use biometric information, for example fingerprint data, retina scans, and/or facial or voice characteristics to perform authentication. Although a user is not required to memorise or store credentials such as those described above, biometric information is inherently public, can still be stolen or replicated and cannot readily be changed or reset. Moreover, such systems only at best prove identity not intent.
In some known systems, human authentication agents may be used to assist in the authentication of a user. An authentication agent may be, for example, a person in the user's social circle, or may be a representative of a controlling authority associated with a resource to which the user is requesting access. A communication session may be set up between the user and the authentication agent to allow the authentication agent to view or hear the user, and to confirm or deny the identity of the user accordingly. In such systems, the controlling authority takes the authentication agent's feedback into account when determining whether to grant access to the user. However, such an authentication process may still be at risk from interception or hijacking. A perpetrator, knowing the identity of a recognised authentication agent, could hijack an authentication process and authenticate a user when in fact the user is not present, for example. The controlling authority, unaware of any such interception, is therefore inherently at risk of mistakenly granting access based on unreliable or false authentication.
Summary
According to a first aspect of the present invention, there is provided a method, performed by a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
access control equipment; and
the at least one further user device,
the method comprising, at the user device:
receiving first and second input data from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device;
processing the received second input data using a second data processing element located at the user device to obtain processed second input data;
performing an authentication response operation to derive authentication response data, the authentication response operation having as inputs:
the received first input data,
the processed second input data, and
data indicative of a result of an authentication decision made by a user of the user device relating to the user of the at least one further user device; and outputting the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities to enable the access control equipment to perform an access control operation relating to at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a second aspect of the present invention, there is provided a user device for facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
access control equipment; and
the at least one further user device,
the user device being configured to:
receive first and second input data from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device;
process the received second input data using a second data processing element located at the user device to obtain processed second input data;
perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs:
the received first input data,
the processed second input data,
data indicative of a result of an authentication decision made by a user of the user device relating to the user of the at least one further user device; and
output the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities to enable the access control equipment to perform an access control operation relating to at least one resource based on a comparison of the derived authentication response data with expected authentication response data. According to a third aspect of the present invention, there is provided computer software adapted to perform a method, at a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
access control equipment; and
the at least one further user device,
the method comprising, at the user device:
receiving first and second input data from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device;
processing the received second input data using a second data processing element located at the user device to obtain processed second input data;
performing an authentication response operation to derive authentication response data, the authentication response operation having as inputs:
the received first input data,
the processed second input data,
data indicative of a result of an authentication decision made by a user of the user device relating to the user of the at least one further user device; and
outputting the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities to enable the access control equipment to perform an access control operation relating to at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a fourth aspect of the present invention, there is provided a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
access control equipment; and
the at least one further user device,
the method comprising, at the user device:
receiving first and second input data from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device;
processing the received second input data using a second data processing element located at the user device to obtain processed second input data;
performing an authentication response operation to derive authentication response data, the authentication response operation having as inputs:
the received first input data,
the processed second input data,
data indicative of a result of an authentication decision made by a user of the user device relating to the user of the at least one further user device; and
outputting the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities to enable the access control equipment to perform an access control operation relating to at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a fifth aspect of the present invention, there is provided a method, performed by access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
a first user device; and
at least one further user device,
the method comprising, at the access control equipment:
transmitting first and second data to at least one data processing entity in the group of data processing entities;
receiving authentication response data from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation, the authentication response operation having, as inputs:
first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment; and
data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device;
determining an authentication result based on a comparison of the received authentication response data with expected authentication response data; and
performing an access control operation relating to the at least one resource based on the determined authentication result.
According to a sixth aspect of the invention, there is provided access control equipment for facilitating access control relating to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising: a first user device; and
at least one further user device,
the access control equipment being configured to:
transmit first and second data to at least one data processing entity in the group of data processing entities;
receive authentication response data from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation, the authentication response operation having, as inputs:
first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment; and
data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device;
determine an authentication result based on a comparison of the received authentication response data with expected authentication response data; and
perform an access control operation relating to the at least one resource based on the determined authentication result.
According to a seventh aspect of the invention, there is provided computer software adapted to perform a method, at access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
a first user device; and at least one further user device,
the method comprising, at the access control equipment:
transmitting first and second data to at least one data processing entity in the group of data processing entities;
receiving authentication response data from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation, the authentication response operation having, as inputs:
first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment; and
data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device;
determining an authentication result based on a comparison of the received authentication response data with expected authentication response data; and
performing an access control operation relating to the at least one resource based on the determined authentication result.
According to an eighth aspect of the invention, there is provided a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
a first user device; and
at least one further user device,
the method comprising, at the access control equipment:
transmitting first and second data to at least one data processing entity in the group of data processing entities;
receiving authentication response data from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation, the authentication response operation having, as inputs:
first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment; and
data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device;
determining an authentication result based on a comparison of the received authentication response data with expected authentication response data; and
performing an access control operation relating to the at least one resource based on the determined authentication result.
According to a ninth aspect of the invention, there is provided a method, performed by a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising: at least one further user device; and
access control equipment,
the method comprising, at the user device:
receiving first data from at least one data processing entity in the group of data processing entities;
processing the received first data using a first data processing element located at the user device to obtain first input data; and
outputting the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a tenth aspect of the present invention, there is provided a user device for facilitating access to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
at least one further user device; and
access control equipment,
the user device being configured to:
receive first data from at least one data processing entity in the group of data processing entities;
process the received first data using a first data processing element located at the user device to obtain first input data; and output the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to an eleventh aspect of the present invention, there is provided computer software adapted to perform a method, at a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
at least one further user device; and
access control equipment,
the method comprising, at the user device:
receiving first data from at least one data processing entity in the group of data processing entities;
processing the received first data using a first data processing element located at the user device to obtain first input data; and
outputting the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a twelfth aspect of the present invention, there is provided a computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method, at a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising: a group of data processing entities, the group of data processing entities comprising:
at least one further user device; and
access control equipment,
the method comprising, at the user device:
receiving first data from at least one data processing entity in the group of data processing entities;
processing the received first data using a first data processing element located at the user device to obtain first input data; and
outputting the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
According to a thirteenth aspect of the present invention, there is provided a system comprising the user device for facilitating authentication and the user device for facilitating access.
According to a fourteenth aspect of the present invention, there is provided a system comprising the user device for facilitating authentication and the access control equipment for facilitating access control.
According to a fifteenth aspect of the present invention, there is provided a system comprising the user device for facilitating access and the access control equipment for facilitating access control.
According to a sixteenth aspect of the present invention, there is provided a system comprising the user device for facilitating authentication, the user device for facilitating access and the access control equipment for facilitating access control.
Further features and advantages will become apparent from the following description, given by way of example only, which is made with reference to the accompanying drawings.
Brief Description of the Drawings
Figure 1 shows a schematic representation of an example of a data communication system in accordance with an embodiment of the present invention;
Figure 2 shows a schematic representation of another example of a data communication system in accordance with an embodiment of the present invention;
Figure 3 shows a signalling diagram of an example of a method of facilitating authentication in accordance with an embodiment of the present invention;
Figure 4 shows a schematic representation of the example of the data communication system shown in Figure 2 in accordance with an embodiment of the present invention;
Figure 5 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention; Figure 6 shows a schematic representation of the example of the data communication system shown in Figures 2 and 4 in accordance with an embodiment of the present invention;
Figure 7 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention;
Figure 8 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention;
Figure 9 shows a signalling diagram of another example of a method of facilitating access to at least one resource in accordance with an embodiment of the present invention;
Figure 10 shows a schematic representation of an example of a data processing framework in accordance with an embodiment of the present invention;
Figure 11 shows a schematic representation of another example of a data communication system in accordance with an embodiment of the present invention;
Figure 12 shows a schematic representation of an example of a graphical user interface in accordance with an embodiment of the present invention; and
Figure 13 shows a schematic representation of an example of an apparatus in accordance with an embodiment of the present invention.
Detailed Description
Various embodiments will now be described, by way of example only, which relate to facilitating authentication in the context of controlling access to at least one resource, for example an online computing resource. The examples described herein may be used to facilitate secure and flexible real-time authentication. However, other implementations are envisaged and will be described in more detail below.
Various examples described herein exploit user-mediated authentication, achieved through the establishment of user-to-user interactions. User-to-user interactions may provide a reliable way of performing authentication of a user. If a first user recognises or does not recognise a second user, the first user can quickly and reliably make an authentication decision relating to the second user. However, user-to- user interactions may still be open to attack. Therefore, a secure framework for user- mediated authentication is provided.
Referring to Figure 1, there is shown schematically an example of a data communication system 100. In this example, the data communication system 100 includes three apparatuses 110, 120, 130. In other examples, the data communication system 100 could include different numbers of apparatuses. The apparatuses 110, 120, 130 are data processing entities. In other words, apparatuses 110, 120, 130 are configured to process data.
In this example, the first data processing entity 110 is a first user device 110.
The first user device 110 is used by an authenticating user, in other words a user that performs authentication in relation to at least one user, which may be the same as the authenticating user or a different user. In this example, the second data processing entity 120 is a second user device 120. The second user device 120 is used by a user in relation to which authentication is to be performed, which may be the same as the authenticating user or a different user. In this example, the third data processing entity 130 is access control equipment 130. The access control equipment 130 is configured to control access to one or more resources.
References to a "first" user device and a "second" user device are made for ease of explanation only, and are not intended to imply a temporal or chronological sequence. For example, an authentication procedure may be initiated by the first user device 110, the second user device 120 or the access control equipment 130. Additionally, the first user device 110 and/or the second user device 120 could belong to an authenticating user, a user in relation to which authentication is to be performed, or neither, according to certain examples.
Some or all of the first user device 110, the second user device 120 and the access control equipment 130 include one or more computing devices. Examples of computing devices include, but are not limited to, a personal computer (PC), a smartphone, a tablet computing device, a laptop computing device, a smart television, a smart watch, a server etc. The first user device 110 is connectable to one or more data communication networks 140 via one or more communication channels 150. The second user device 120 is connectable to the one or more data communication networks 140 via one or more communication channels 160. The access control equipment 130 is connectable to the one or more data communication networks 140 via one or more communication channels 170.
Examples of the data communication network 140 include, but are not limited to, the Internet, a Local Area Network (LAN), a Wide Area Network (WAN), a Wireless Local Area Network (WLAN) etc. The data communication network 140 may include one or more network nodes. Examples of such network nodes include, but are not limited to, routers, switches, servers, etc. The data communication network 140 may also include a plurality of interconnected networks. The one or more data communication networks 140 may be arranged to allow data be communicated in a secure manner, for example by encrypting data transmitted through the one or more data communication networks 140.
The one or more data communication channels 150, 160, 170 may be wireless communication channels. The wireless communication channels may be provided by one or more cellular networks. In other examples, the one or more data communication channels 150, 160, 170 are wired channels. The one or more communication channels 150, 160, 170 may be established and/or maintained using one or more data communication protocols. Examples of such data communication protocols include, but are not limited to, Real-Time Communication (RTC), Web Real-Time Communication (WebRTC), Interactive Connectivity Establishment (ICE), Internet Protocol Suite, etc. Application layer protocols such as Hypertext Transfer Protocol 1 (HTTP/1), Hypertext Transfer Protocol 2 (HTTP/2), Extensible Messaging and Presence Protocol (XMPP) or Web Socket may additionally or alternatively be used in some embodiments. In some examples, the one or more communication channels 150, 160, 170 are encrypted to provide secured communications. In some examples, the one or more communication channels 150, 160, 170 are peer-to-peer (P2P) communication channels, in other words providing a direct connection between multiple endpoints. In other examples, the establishment of the one or more communication channels 150, 160, 170 is mediated by one or more devices or proxy devices.
In some examples, the one or more communication channels 150, 160, 170 are used as a framework to establish one or more communication sessions. The one or more communication channels 150, 160, 170 enable data to be communicated between at least some of the data processing entities 110, 120, 130. The one or more communication sessions may be established through the use of one or more communication identifiers. A communication identifier may be associated with a given data processing entity and may be used to establish a communication session with the given data processing entity. Examples of data communication identifiers include, but are not limited to, Internet Protocol (IP) addresses, port identifiers, telephone numbers, available and/or preferred communication platforms, telephone numbers, Uniform Resource Locators (URLs), cryptographic nonces or any other information usable in the establishment of the one or more communication sessions via the one or more communication channels 150, 160, 170.
As will be described in greater detail below, the data communication system 100 can be used to perform user-mediated authentication in which a user of the first user device 110 cooperates with a user of the second user device 120 to perform authentication relating to the user of the second user device 120. Data relating to the authentication decision made by the user of the first user device 1 10 is communicated to the access control equipment 130. The access control equipment 130 compares the data relating to the authentication decision to expected data (for example corresponding to a positive or negative authentication decision) and makes an access control decision based on such a comparison. Since the authentication is performed within a secure framework by the users, the access control equipment 130 can be confident that the authentication has been performed securely, even though the access control equipment 130 does not make the authentication decision itself. Measures are put in place to provide an assurance that both user devices 110, 120 have been involved in the data flow leading to the authentication decision, thereby mitigating against man-in-the- middle and other types of attack. Since the secure framework involves data processing at each of the first user device 110, the second user device 120 and the access control equipment 130, such processing will now be described from the perspective of each of these data processing entities in turn.
Referring to Figure 2, there is shown schematically an example of a data communication system 200. The data communication system 200 corresponds closely to the data communication system 100 shown in Figure 1, with like items shown using like reference signs. However, in this example, the second user device 120 and the access control equipment 130 are considered to form part of a group 210 of data processing entities, from the perspective of the first user device 110.
In addition, the first user device 110 and the second user device 120 each include one or more respective data processing elements 220, 230. The data processing elements 220, 230 may be stored in the memory of user devices 110, 120, respectively. The data processing elements 220, 230 may be stored temporarily or permanently in the memory of user devices 110, 120, respectively. The data processing element 220 located at the first user device 110 may be the same as or different from the data processing element 230 located at the second user device 120. In some examples, the data processing elements 220, 230 are received from a remote source. The data processing elements 220, 230 may be received via the one or more data communication networks 140 or in another manner, for example on a Compact Disc Read-Only Memory (CD-ROM), Universal Serial Bus (USB) flash drive etc. The data processing elements 220, 230 may comprise, for example, decryption keys, lookup tables, cryptographic algorithms, mathematical or transformational functions, or any other parameters, functions, operations, values, tables or factors that can be used to process data. In some examples, the data processing elements 220, 230 are derived by user devices 110, 120, respectively. One or both of the data processing elements 220, 230 may be derived based on an interrogation of one or more device-specific characteristics. Examples of device-specific characteristics include, but are not limited to, a screen resolution of a device, a device identifier, etc. The device-specific characteristics used to derive one or both of the data processing elements 220, 230 may be selected by the access control equipment 130. The data processing elements 220, 230 may be associated with a given authentication request. One or both of the data processing elements 220, 230 may be configured to vary between some or all different authentication requests. In some examples, one or more device-specific characteristics that are selected to be used to derive one or both of the data processing elements 220, 230 vary between some or all different authentication requests. Varying the data processing elements 220, 230, or other data used in the authentication process, between different authentication requests can help to reduce predictability, which could otherwise be exploited by malware or other forms of attack. In some examples, such variation of the data processing elements 220, 230 is non-deterministic. The data processing elements 220, 230 are used to enable the access control equipment 130 to be confident that the correct data processing and data flow is used by the first user device 110 and the second user device 120 in performing authentication, as will be described in more detail below.
Referring to Figure 3, there is shown a signalling diagram depicting an example of a method 300 of performing authentication. The method may be employed in a data communication system 200 such as that depicted in Figure 2 and described above, which includes a first user device 110 and a group of data processing entities 210, the group of data processing entities 210 including the second user device 120 and the access control equipment 130.
At item S3 a, the first user device 110 receives first and second input data from at least one data processing entity in the group of data processing entities 210. The first and the second input data may be received via the one or more communication channels 150. The first and the second input data may be received by the first user device 110 in separate data payloads or as separable parts of a single data payload.
Prior to the first user device 110 receiving the first input data, the first input data is obtained by the second user device 120 using a data processing element 230 located at the second user device 120. In some examples, the data processing element 230 located at the second user device 120 is used to process first input data to obtain the processed first input data. At item S3b, the first user device 110 processes the received second input data using a data processing element 220 located at the first user device 110 to obtain processed second input data.
In some examples, the data processing element 220 includes a transformation function. The first user device 110 may process at least a portion of the received second input data by performing a transformation operation on the at least a portion of the received second input data using the transformation function. The transformation operation may, for example, be an arithmetic operation and/or may involve mapping one set of values to another set of values according to one or more mapping rules associated with the transformation function.
In some examples, the data processing element 220 includes one or more decryption keys. In such examples, at least part of the second input data received by the first user device 110 is received in an encrypted form. The first user device 110 processes at least a portion of the encrypted, second input data by performing a decryption operation using the decryption key. After such a decryption operation has been performed, the second input data, or portion thereof, which was received in an encrypted form, is decrypted. In some examples, the first user device 110 decrypts only part of the second input data, with some of the second input data remaining in an encrypted form.
The data processing element 220 located at the first user device 110 may be associated with a given authentication request from the group of data processing entities 210. The data processing element 220 may be configured to vary between different authentication requests. In some examples, such variation of the data processing element 220 between different authentication requests is non-deterministic. The data processing element 220 to be used for a given authentication request may be determined cooperatively with the access control equipment 130. In some examples, the data processing element 220 to be used for a given authentication request is set by the access control equipment 130. The access control equipment 130 may then transmit an indication of the data processing element 220 to be used for the given authentication request to the first user device 110. In another example, the data processing element 220 to be used for a given authentication request is set by the first user device 110. The first user device 110 may then transmit an indication of the data processing element 220 to be used for the given authentication request to the access control equipment 130. The cooperative agreement between the first user device 110 and the access control equipment 130 of the data processing element 220 to be used may be performed between the first user device 110 and the access control equipment 130 prior to the first user device 110 receiving the first and second input data. This cooperative determination enables the access control equipment 130 to be aware of the data processing element 220 to be used by the first user device 110 for the processing of the second input data for a given authentication request.
At item S3c, the first user device 110 performs an authentication response operation to derive authentication response data. The authentication response operation has several inputs. A first input of the authentication response operation is the received first input data, i.e. the data having been obtained by the second user device 120 using the data processing element 230 located at the second user device 120. A second input of the authentication response operation is the processed second input data, i.e. the data having been obtained by the first user device 110 using the data processing element 220 located at the first user device 110. Consequently, the derived authentication response data is dependent on both the data processing element 220 located at the first user device 110 and the data processing element 230 located at the second user device 120. Both data processing elements 220, 230 are known by the access control equipment 130. A third input of the authentication response operation is data indicative of a result of an authentication decision made by a user of the first user device 110. The authentication decision relates to a user of the second user device 120. At least one of these inputs to the authentication response operation may vary between at least some different authentication requests. In some examples, at least one of these inputs to the authentication response operation varies non-deterministically between at least some different authentication requests.
The access control equipment 130 is aware of the various parameters that are to be used by the first user device 110 and the second user device 120 during the authentication procedure for a given authentication request to derive authentication response data corresponding to a particular authentication response (for example, positive or negative). For example, the access control equipment 130 is aware of the data processing elements 220, 230, the first and second input data, and the data indicative of the result of the authentication decision made by the user of the first user device 110 and uses such awareness to compare received authentication response data to expected authentication response data. In some examples, the access control equipment 130 calculates expected authentication response data using known values and compares the calculated expected authentication response data with received authentication response data. The access control equipment 130 is therefore able to determine what authentication response data should result if the authentication procedure has been performed using the secure framework. Being confident that this secure framework has been adhered to enables the access control equipment 130 to relinquish ultimate authority on the authentication decision to the user devices 110, 120. If a third party were to try to derive the expected authentication response data without having, for example, the data processing element 220, they would have a low probability of obtaining the correct, expected authentication response data.
In some examples, the received first input data and the processed second input data are used to obtain a first authentication data element. The first authentication data element may be used to derive the authentication response data. The first authentication data element may, for example, be a numerical value, a character, a string, a function or any other form of data.
The first authentication data element may be used with further input data received from at least one of the data processing entities in the group of data processing entities 210 to obtain a second authentication data element. The further input data may comprise third input data. The third input may be received from the second user device 120. The further input data may comprise fourth input data. The fourth input data may be received from the access control equipment 130. The third input data and/or the fourth input data may be received in an encrypted form.
The second authentication data element may for example be a numerical value, a character, a string, a function or any other form of data. The first authentication data element may be used to derive the second authentication data element. Consequently, the second authentication data element is dependent on the data processing element 220 located at the first user device 110, the data processing element 230 located at the second user device 120, the first input data, the second input data, and the further input data. The second authentication data element may be used with at least one further data item to derive the authentication response data. The at least one further data item may comprise the information indicative of the result of the authentication decision by the user of the first user device 110. The at least one further data item may comprise a message authentication code (MAC). The MAC may be derived using a cryptographic key in conjunction with a hash function. In other words, the MAC may be a keyed-hash message authentication code (HMAC).
In some examples, the authentication decision made by the user of the first user device 110 is based on an interaction between the user of the first user device 110 and the user of the second user device 120. At least one communication session may be established between the first user device 110 and the second user device 120 to facilitate the authentication of the user of the second user device 120 by the user of the first user device 110. In some examples, the first user device 110 establishes the at least one communication session with the second user device 120. In other examples, the second user device 120 establishes the at least one communication session with the first user device 110. In some examples, the access control equipment 130 establishes the at least one communication session between the first user device 110 and the second user device 120. Establishing the at least one communication session may involve initiating the at least one communication session, accepting a request to join the at least one communication session, participating in the at least one communication session, etc. The at least one communication session may comprise a real-time communication session. The at least one communication session may comprise a video call, a voice call and/or an instant messaging session. The real-time communication session may be established via the one or more communication channels 150. In another example, the real-time communication session is established on a separate communication channel from the one or more communication channels 150 used for the receiving of the first and the second input data. The real-time communication session may be time-limited, for example it may be terminated after a predetermined amount of time has passed after establishment. The at least one communication session may comprise a P2P communication session. In some examples, establishment of the at least one communication session is mediated by one or more proxy devices. The one or more proxy devices may translate data sent in a first form from a first user device. The data may be translated into a second form to be received by a second user device. In some examples, the one or more proxy devices does not store the data being translated. In some examples, establishment of at least one communication session between the first user device 110 and the second user device 120 is facilitated by a communication identifier associated with the first user device 110. The communication identifier may be outputted for transmission by the first device 110. In some examples, the communication identifier is outputted for transmission to the access control equipment 130.
In some examples, an interaction between the user of the first user device 110 and the user of the second user device 120 comprises an immediate or "real-world" interaction. For example, if the user of the first user device 110 and the user of the second user device 120 are situated in the same physical space, they could speak to each other in person to perform authentication rather than having a real-time data communication session established between the first user device 110 and the second user device 120. The interaction enables the user of the first user device 110 to provide an authentication decision relating to the user of the second user device 120. In some examples, the user of the first user device 110 can confirm or deny the identity of the user of the second user device 120 based on the interaction between the users. In some examples, the user of the first user device 110 can approve or reject a request (for example to access a resource) attempted by the user of the second user device 120 based on such an authentication decision. The authentication decision may be based on a visual recognition of the face of the user of the second user device 120. In some examples, the authentication decision may be based on an aural recognition of the voice of the user of the second user device 120. In some examples, the authentication decision may be based on the sending by the user of the second user device 120 of a code-word or phrase known or expected by the user of the first user device 110.
In some examples, the first user device 110 receives data comprising a one-time passcode from at least one data processing entity in the group of data processing entities 210. The data comprising the one-time passcode may be received from the access control equipment 130. In order to facilitate authentication, the user of the first user device 110 may relay the one-time passcode to the user of the second user device 120. In some examples, data comprising the one-time passcode is outputted for transmission to the second user device 120. The data comprising the one-time passcode may be transmitted via one or more Short Messaging Service (SMS) messages, e-mail, etc. In some examples, the user of the first user device 110 relays the one-time passcode to the user of the second user device 120 via a real-time communication session, e.g. a video call and/or a voice call. The one-time passcode received by the user of the second user device 120 may be inputted to the second user device 120 and transmitted to the access control equipment 130 to facilitate access control relating to the at least one resource.
In some examples, the first user device 110 receives data for display to the user of the first user device 110. The data may represent an image relating to the authentication request. The data representing the image may be received from the access control equipment 130. The image relating to the authentication request may indicate the at least one resource to which access is requested. The user of the first user device 110 may therefore perform an authentication decision relating to the user of the second user device 120 in view of a specific authentication request and/or transaction. In some examples, the image relating to the authentication request is associated with a one-time passcode.
In some examples, the first user device 110 and the second user device 120 both receive data comprising a message for display to the user of the first user device 110 and to the user of the second user device 120, respectively. The user of the second user device 120 may be required to vocalise the content of the message during a real-time voice call, in other words to say the message out loud. Voice-to-text translation may be used to determine whether the user of the second user device 120 speaks the correct message.
In some examples, the authentication decision made by the user of the first user device 110 may be received at the first user device 110 based on user input via a user interface associated with the first user device 110. In some examples, user input comprises user actuation at a graphical control element associated with the first user device 110. Examples of graphical control elements include, but are not limited to, an on-screen button or icon. In some examples, user input comprises user actuation at a keyboard associated with the first user device 110. In some examples, user input comprises automatic voice recognition. In some examples, the authentication decision may be determined at the first user device 110 based on a lack of user input. The absence of user input may be determined by the first user device 110 if no user input is received during a given time period. The given time period may be the allowed time period for a time-limited, real-time communication session. The absence of user input at the first user device 110 may be configured to indicate a positive authentication decision (e.g. a confirmation of the identity of the user of the second user device 120) or a negative authentication decision (e.g. a denial of the identity of the user of the second user device 120).
In some examples, the first user device 110 is configured to use a response translation element to translate the result of the authentication decision into data indicative of the result of the authentication decision. The result of the authentication decision may be a numerical value (e.g. "1" or "0"), a character (e.g. "Y" or "N"), a string (e.g. "YES" or "NO"), or any other form of information that represents the outcome of the authentication decision made by the user of the first user device 110. The response translation element may include, for example, a numerical value, lookup table, cryptographic algorithm, mathematical or transformational function, passing operator, or any other parameter, function or operator suitable for translating data. The response translation element may be associated with a given authentication request and may vary between different authentication requests. The response translation element may be cooperatively agreed between the first user device 110 and the access control equipment 130, such that the access control equipment 130 knows the response translation element that should be used to translate the result of the authentication decision into data indicative of the result of the authentication decision.
At item S3d, the first user device 110 outputs the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities 210. The derived authentication response data enables the access control equipment 130 to perform an access control operation relating to at least one resource. The access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
Referring to Figure 4, there is shown schematically an example of a data communication system 200 which corresponds to the data communication system 200 shown in Figure 2, with like items shown using like reference signs. However, in this example, the first user device 110 and the access control equipment 130 are considered to form part of a group 400 of data processing entities, from the perspective of the second user device 120.
Referring to Figure 5, there is shown a signalling diagram depicting an example of a method 500 of facilitating access to at least one resource. The method 500 may be employed in a data communication system 200 such as that depicted in Figure 4 and described above, which includes a second user device 120 and a group of data processing entities 400, the group of data processing entities 400 comprising a first user device 110 and an access control equipment 130.
At item S5a, the second user device 120 receives first input data from at least one data processing entity in the group of data processing entities 400. The first input data may be received via the one or more communication channels 160 connecting the second user device 120 to the one or more data communication networks 140. In some examples, the second user device 120 also receives second input data from at least one data processing entity in the group of data processing entities 400. The first and the second input data may be received in separate data payloads. In other examples, the first and the second input data are received as separable parts of a single data payload.
In some examples, the second user device 120 may obtain, for display to the user of the second user device 120, data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the second user device 120. The data indicating at least one authorised user may include a nominee list. The data indicating the at least one authorised user may be received from the access control equipment 130. In some examples, data indicating only those authorised user devices that are determined to be available for communication are obtained for display to the user of the second user device 120. The user of the second user device 120 may make a selection of a preferred nominee from the nominee list. The preferred nominee is involved in performing authentication relating to the user of the second user device 120. The preferred nominee may be a preferred authorised user device, a preferred user of an authorised user device, and/or a user of a preferred authorised user device. In this specific example, the preferred nominee is the first user device 110 and/or the user of the first user device 110. The selection of a preferred authorised user device may be performed via user input at the second user device 120. In some examples, the user input may include touching a graphical control element on a touchscreen corresponding to the preferred nominee. In some examples, the user input may include pressing a button on a mouse and/or on a keyboard associated with the second user device 120. In some examples, the user input may include a verbal indication of the preferred nominee. In some examples, the user of the second user device 120 does not select a preferred authorised user device for authentication. In such examples, a preferred authorised user device may be selected by the access control equipment 130.
In some examples, the second user device 120 receives at least one communication identifier from at least one data processing entity in the group of data processing entities 400. The at least one communication identifier is associated with the first user device 110. The at least one communication identifier may be usable in the establishment of one or more communication sessions between the second user device 120 and the first user device 110. In some examples, the at least one communication identifier is received from the access control equipment 130. In some examples, the at least one communication identifier is received from the first user device 110.
At item S5b, the second user device 120 processes the received (pre-processed) first input data using a data processing element 230 located at the second user device 120 to obtain processed first input data.
As explained above, the data processing element 230 may be a software element stored in the memory of the second user device 120. In some examples, the data processing element 230 is stored temporarily or permanently at the second user device 120. The data processing element 230 may be derived on demand by the second user device 120. The data processing element 230 may be derived based on an interrogation of one or device-specific characteristics associated with the second user device 120. The one or more device-specific characteristics may include, for example, a screen resolution of the second user device 230, a device identifier, etc. In some examples, the data processing element 230 includes the one or more device-specific characteristics. In some examples, the data processing element 230 is a transformation function. The second user device 120 may process at least a portion of the received first input data by performing a transformation operation on the portion of the received first input data based on the transformation function. The transformation operation may for example be an arithmetic operation and/or may involve exchanging of one set of values for another set of values according to one or more rules associated with the transformation function.
In some examples, the data processing element 230 includes a decryption key.
In some examples, the first input data received by the second user device 120 is received in an encrypted form. The second user device 120 processes the received first input data by decrypting the first input data using the decryption key.
The data processing element 230 located at the second user device 120 and used in the processing of the first input data may be associated with a given authentication request. The data processing element 230 may be configured to vary between at least some different authentication requests. In some examples, such variation between at least some different authentication requests may be non-deterministic. The second user device 120 may cooperate with the access control equipment 130 to determine the data processing element 230 to be used. In some examples, the data processing element 230 to be used is set by the access control equipment 130. The access control equipment 130 may then transmit an indication of the data processing element 230 to be used to the second user device 120. In some examples, the data processing element 230 to be used is set by the second user device 120. The second user device 120 may then transmit an indication of the data processing element 230 to be used to the access control equipment 130. The cooperative determination enables the access control equipment 130 to be aware of the data processing element 230 to be used by the second user device 120 for the processing of the first input data for a given authentication request.
At item S5c, the second user device 120 outputs the processed first input data for transmission to at least one data processing entity in the group of data processing entities 400. The processed first input data may be transmitted via the one or more communication channels 160. In some examples, the processed first input data is transmitted via a communication channel separate from the one or more communication channels 160 connecting the second user device 120 to the one or more data communication networks 140. In some examples, the second user device 120 also transmits further data to at least one entity of the group of data processing entities 400.
The processed first input data is usable as an input to an authentication response operation performed at the first user device 110. The authentication response operation also has as inputs second input data obtained by the first user device 110 using a data processing element 220 located at the first user device 110, and data indicative of a result of an authentication decision made by a user of the first user device 110. At least one of the inputs to the authentication response operation may be associated with a given authentication request and may vary between different authentication requests. The access control equipment 130 is able to perform an access control operation relating to the at least one resource based on a comparison of the authentication response data with expected authentication response data.
In some examples, the second user device 120 establishes at least one communication session with the first user device 1 10 to facilitate the authentication of the user of the second user device 120 by the user of the first user device 110. The at least one communication session may be a real-time communication session. In some examples, the real-time communication session is in accordance with Real-time Communication (RTC). In some examples, the real-time communication session is a WebRTC communication session. The at least one communication session may comprise a video call and/or a voice call. The at least one communication session may be a P2P communication session. In some examples, the at least one communication session is mediated via one or more proxy devices. Examples of such proxy devices include, but are not limited to, the access control equipment 130.
In some examples, the second user device 120 determines whether establishment of a real-time communication session is allowed between the first user device 110 and the second user device 120. Determining whether establishment of a real-time communication session is allowed may be based on an identity of the first user device 110 and/or an identity of the user of the first user device 110. For example, establishment of a real-time communication session may not be allowed if it is determined that the user of the first user device 110 is the same as the user of the second user device 120. In other words, establishment of a real-time communication session may not be allowed if the user of the second user device 120 is self-authenticating using another of their own user devices, namely the first user device 110.
The second user device 120 may cause data comprising a one-time passcode to be transmitted from the access control equipment 130 to the first user device 110. In some examples, the data comprising the one-time passcode is transmitted from the access control equipment 130 to the first user device 110 in response to a determination that establishment of a real-time communication session is not allowed between the first user device 110 and the second user device 120. In some examples, the second user device 120 causes the data comprising the one-time passcode to be transmitted from the access control equipment 130 to the first user device 110 in response to receiving user input at the second user device 120. In some examples, the data comprising the one- time passcode is transmitted from the access control equipment 130 to the first user device 110 in response to receiving user input at the first user device 110. The user input at the second user device 120 and/or the user input at the first user device 110 may include an indication that passcode-mediated authentication is preferred.
In some examples, the second user device 120 receives data comprising a one- time passcode from at least one data processing entity in the group of data processing entities 400. The second user device 120 may receive the data comprising the one-time passcode from the first user device 110. The data comprising the one-time passcode may be received in various different ways from the first user device 110. For example, the data comprising the one-time passcode may be received via SMS, e-mail, etc. In some examples, the one-time passcode is conveyed from the user of the first user device 110 to the user of the second user device 120 via a real-time communication session. The second user device 120 may receive the data comprising the one-time passcode based on user input received via a user interface associated with the second user device 120. The second user device 120 may output data comprising the one-time passcode for transmission to at least one data processing entity in the group of data processing entities 400. In some examples, the second user device 120 outputs the data comprising the one-time passcode for transmission to the access control equipment 130.
In some examples, the second user device 120 receives data for display to the user of the second user device 120. The data may represent an image relating to the authentication request. The data representing the image may be received from the access control equipment 130. The image relating to the authentication request may indicate the at least one resource to which access is requested. In some examples, the image relating to the authentication request is associated with a one-time passcode.
In some examples, the second user device 120 receives data indicating whether or not the user of the second user device 120 has been authenticated. The data may additionally or alternatively indicate whether access to at least one resource has been granted or denied for the user of the second user device 120. In some examples, the data may provide an indication that one or more further authentication procedures are required before access to the at least one resource can be granted. The one or more further authentication procedures may involve, for example, the user of the second user device 120 providing one or more physical or digital keys and/or biometric data. Examples of physical or digital keys include, but are not limited to, smartcards, USB tokens, passwords, etc. In some examples, the data may be received from one or more further entities (not shown) associated with at least one resource. For example, the access control equipment 130 may inform the one or more further entities of the result of the comparison it makes between the received authentication response data and the expected authentication response data and the one or more further entities may decide whether or not to allow access to the one or more resources which with they are associated based on the information provided by the access control equipment 130.
Referring to Figure 6, there is shown schematically an example of a data communication system 200 which corresponds to the data communication system 200 shown in Figures 2 and 4, with like items shown using like reference signs. However, in this example, the first user device 110 and the second user device 120 are considered to form part of a group 600 of data processing entities, from the perspective of the access control equipment 130. Referring to Figure 7, there is shown a signalling diagram depicting an example of a method 700 of facilitating access control relating to at least one resource. The method 700 may be employed in a data communication system 200 such as that depicted in Figure 6 and described above, which includes an access control equipment 130 and a group 600 of data processing entities, the group 600 of data processing entities comprising a first user device 110 and a second user device 120.
At item S7a, the access control equipment 130 transmits first and second input data to at least one data processing entity in the group 600 of data processing entities. The first and the second input data may be transmitted via the one or more communication channels 170 connecting the access control equipment 130 to the one or more data communication networks 140. The first and the second input data may be transmitted by the access control equipment 130 in separate data payloads or as separable parts of a single data payload. In some examples, the access control equipment 130 also transmits further data to at least one data processing entity in the group 600 of data processing entities. The further data may include third input data and/or fourth input data.
At item S7b, the access control equipment 130 receives authentication response data from at least one data processing entity in the group of data processing entities 600. The authentication response data may be received via the one or more communication channels 170. In some examples, the authentication response data is received via one or more communication channels separate from the one or more communication channels 170.
Prior to being received by the access control equipment 130, the authentication response data is derived at the first user device 110 by the first user device 110 performing an authentication response operation. The authentication response operation has, as inputs, processed first input data having been obtained by the second user device 120 using a data processing element 230 located at the second user device 120, processed second input data having been obtained by the first user device 110 using a data processing element 220 located at the first user device 110, and data indicative of a result of an authentication decision made by a user of the first user device 110. At least one of the inputs to the authentication response operation may be associated with a given authentication request and may vary between different authentication requests. The access control equipment 130 may be configured to vary at least one of the inputs to the authentication response operation. At least one of the inputs to the authentication response operation may be varied non-deterministically, according to some examples.
The access control equipment 130 may transmit a nominee list to the second user device 120. The nominee list comprises data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the second user device 120. In this specific example, the at least one authorised user device includes at least the first user device 110. In some examples, the access control equipment 130 determines an availability of the at least one authorised user device. The availability of a given authorised user device may indicate whether the given authorised user device is currently online. In some examples, the availability of a given authorised user device indicates whether the given authorised user device is able to participate in a real-time communication session with the second user device 120. Data may be transmitted to the second user device 120 indicating only those authorised user devices that are determined to be available. The nominee list may be transmitted by the access control equipment 130 in response to receiving a request from the second user device 120 relating to access to at least one resource. The access control equipment 130 may receive data indicating a selection of a preferred authorised user device from the second user device 120. In response to obtaining the selection of the first user device 110, the access control equipment 130 may transmit data to the first user device 110 indicating that the user of the second user device 120 is requesting accessing to the resource, and/or that the user of the second user device 120 requires authentication to be performed. The user of the first user device 110 may be given a predetermined amount of time to respond to such an authentication request. In some examples, the access control equipment 130 transmits data to the second user device 120 indicating that the first user device 110 has been contacted. If the user of the first user device 110 does not respond to the authentication request within the predetermined amount of time, the access control equipment 130 may notify the user of the second user device 120 accordingly. If the user of the first user device 110 indicates a willingness to perform authentication for the user of the second user device 120, a communication identifier associated with the first user device 110 may be transmitted from the first user device 110. In some examples, the communication identifier is transmitted to the second user device 120. For example, the first user device 110 may look up a communication identifier associated with the second user device 120 in its memory and transmit the communication identifier associated with the first user device 110 to the second user device 120 using the looked-up communication identifier of the second user device 120. In some examples, the communication identifier is transmitted to the access control equipment 130. The communication identifier may be used to facilitate establishment a communication session between the first user device 110 and the second user device 120.
In some examples, the access control equipment 130 transmits data comprising a one-time passcode to at least one data processing entity in the group of data processing entities 600. The data comprising the one-time passcode may be transmitted to the first user device 110. In some examples, the access control equipment 130 receives data comprising the one-time passcode from at least one data processing entity in the group of data processing entities 600. The data comprising the one-time passcode may be received from the second user device 120.
At item S7c, the access control equipment 130 determines an authentication result based on a comparison of the received authentication response data with expected authentication response data. As described above, the access control equipment 130 is aware of the various parameters that should have been used by the first user device 110 and the second user device 120 during the authentication procedure for a given authentication request, for example the data processing elements 220, 230, the first input data and the second input data, etc. The access control equipment 130 may therefore determine what authentication response data should be received if the authentication procedure has been performed, and the result relayed, securely.
At item S7d, the access control equipment 130 performs an access control operation relating to at least one resource for the second user device 120 based on the determined authentication result.
In some examples, the access control operation comprises granting access to at least one resource for the second user device 120. The access control operation may comprise denying access to the at least one resource for the second user device 120. In some examples, the access control operation comprises causing data to be transmitted to the second user device 120. The data transmitted to the second user device 120 may provide an indication that access to the at least one resource is granted. Additionally or alternatively, the data transmitted to the second user device 120 may provide an indication that access to the at least one resource is denied. In some examples, the data transmitted to the second user device 120 provides an indication that one or more further authentication procedures are required before access to the at least one resource can be granted.
In some examples, the access control operation comprises causing data to be transmitted to one or more further entities (not shown). The data transmitted to the one or more further entities may, for example, indicate a recommendation relating to access to the at least one resource. The data transmitted to the one or more further entities may provide an indication that access to the at least one resource should be granted to the second user device 120. In some examples, the data transmitted to the one or more further entities provides an indication that access to the at least one resource should be denied to the second user device 120. In some examples, the data transmitted to the one or more further entities provides an indication that one or more further authentication procedures should be performed before access is granted to the second user device 120.
In some examples, the access control equipment 130 is operable to perform an access control operation based solely on the comparison of the received authentication response data with the expected authentication response data. In some examples, the access control equipment 130 is configured to grant access to at least one resource for the second user device 120 on the sole condition that the received authentication response data is equal to the expected authentication response data. If the received authentication response data is not equal to the expected authentication response data, access to the at least one resource may be denied to the second user device 120. In some examples, a determination that the received authentication response data is not equal to the expected authentication response data may cause one or more further authentication processes to be initiated. The access control equipment 130 relies on the authentication decision made by the user of the first user device 110, provided that the authentication decision is relayed to the access control equipment 130 securely, namely in the form of correct authentication response data. The generation of the correct authentication response data is only possible if the correct data processing elements 220, 230 are used by the first user device 110 and the second user device 120 to process the correct first and second input data received from the access control equipment 130. Generating the correct authentication response data is also dependent on the first input data taking the correct "path" through the data communication system 200. Only if the first input data is obtained by the second user equipment 120 using the correct data processing element 230 and then communicated to the first user device 110 can the first user device 110 derive the correct authentication response data. Consequently, the access control equipment 130 can, if the received authentication response data matches the expected authentication response data, be safely assured that the expected first user device 110 and second user device 120 were used for authentication and that data was transferred between them in an expected manner. The generation of the correct authentication response data may also only be possible if a positive authentication decision has been made by the user of the first user device 110. Furthermore, the generation of the correct authentication response data may only be possible if the authentication decision made by the user of the first user device 110 is translated using the correct response translation element.
As the first and second input data, the data processing elements 220, 230 used by the first user device 110 and the second user device 120, and the response translation element are known by the access control equipment 130, the access control equipment 130 knows what authentication response data should result from an authentication response operation performed by the first user device 110. If the output data received from the first user device 110 matches the expected output data, the access control equipment 130 can determine that the authentication process has been carried out, and the result relayed to the access control equipment 130, securely. Consequently, the access control equipment 130 can cede authority on the authentication decision to the user of the first user device 110. By effectively surrendering the responsibility of providing an authentication decision to a user in the data communication system 200, the liability of a controlling authority, e.g. a bank or any other holder of resources which have restricted access, may be reduced. Moreover, by placing the authentication decision into the hands of a human user, the result of the authentication decision may be made more reliable and/or more accurate. Interacting with a user in a secure real-time communication session provides an effective way to recognise and authenticate that user, whether by seeing their face, hearing their voice, holding a conversation with them, etc. Furthermore, by using human-mediated authentication instead of known password-orientated authentication, the burden of choosing and remembering multiple digital keys and passwords may be reduced. Additionally, since, in some examples, biometric data is not stored at any entity involved in authentication, the potential risks associated with storing biometric data, particularly with regard to theft via hacking or other such subterfuge, are reduced. Consequently, security in the authentication procedure may be improved.
Security may be further enhanced by virtue of polymorphic variation within the authentication procedure. One or several factors may vary between different authentication requests. These factors include, but are not limited to, the first and the second input data, the data processing element 220 used by the first user device 110 and the data processing element 230 used by the second user device 120. These factors may also include further input data, the response translation element and the authorised user device selected to perform authentication. Each of these factors may vary non- deterministically. Consequently, even if one or several of these factors were intercepted or stored by a third party during a given authentication request, the third party would not be able to generate the correct authentication response data to match the expected authentication response data for a subsequent authentication request, as the expected authentication response data changes, for example on every occasion. Therefore, man- in-the-middle and replay-type attacks which rely on behavioural consistency may be prevented and authentication performed more securely.
Referring to Figure 8, there is shown a signalling diagram depicting an example of a method 800 of facilitating access control relating to at least one resource. The method 800 may be employed in a data communication system 200 such as that depicted in Figures 2, 4 and 6 and described above, which includes a first user device 110, a second user device 120 and an access control equipment 130. The first user device 110 is used to perform authentication relating to a user of the second user device 120. The second user device 120 may be associated with a request for access to a resource. Access to the resource is controlled by the access control equipment 130. By performing the authentication relating to the user of the second user device 120, the first user device 110 facilitates the control of access to the resource.
At item S8a, the access control equipment 130 transmits first input data to the second user device 120. In some examples, the access control equipment 130 also transmits further data to the second user device 120. The further data may include third input data. The further data may alternatively or additionally include fourth input data.
At item S8b, the access control equipment 130 transmits second input data to the first user device 110. In some examples, the access control equipment 130 also transmits further data to the first user device 110. The further data may include third input data. The further data may alternatively or additionally include fourth input data.
At item S8c, the second user device 120 processes the first input data received at item S8a using the data processing element 230 located at the second user device 120 to obtained processed first input data.
At item S8d, the second user device 120 transmits the processed first input data to the first user device 110. In some examples, the second user device 120 also transmits the third input data and/or the fourth input data to the first user device 110.
At item S8e, the first user device 1 10 processes the second input data received at item S8b using the data processing element 220 located at the first user device 110 to obtain processed second input data.
In some examples, a real-time communication session is established between the first user device 110 and the second user device 120. The real-time communication session allows the user of the first user device 110 to make a decision on the authenticity of the user of the second user device 120.
At item S8f, the first user device 110 performs an authentication response operation to derive authentication response data. The authentication response operation has as inputs the processed first input data received at item S8a, the processed second input data obtained at item S8e, and data indicative of a result of an authentication decision made by a user of the first user device 110.
At item S8g, the first user device 110 outputs the authentication response data for transmission to the access control equipment 130. In other examples, the authentication response data is transmitted by the first user device 110 to the second user device 120. The second user device 120 then forwards the authentication response data to the access control equipment 130.
At item S8h, the access control equipment 130 compares the received authentication response data with expected authentication response data. The access control equipment 130 is able to perform an access control operation to control access to at least one resource for the second user device 120 based on the result of the comparison.
Referring to Figure 9, there is shown a signalling diagram depicting an example of a method 900 of facilitating access control relating to at least one resource. The method 900 may be employed in a data communication system 200 such as that depicted in Figures 2, 4 and 6 described above, which includes a first user device 110, a second user device 120 and an access control equipment 130.
At item S9a, the access control equipment 130 transmits data to the second user device 120 indicating at least one user device authorised to be used to facilitate authentication relating to a user of the second user device 120. The data indicating at least one authorised user device may comprise a nominee list. The nominee list may be associated with a given authentication request. In some examples, data indicating only those authorised user devices that are available, for example currently able to participate in a communication session with the second user device 120, is transmitted to the second user device 120. The data indicating at least one authorised user device may be transmitted in response to receiving a request relating to the at least one resource from the second user device 120.
At item S9b, the second user device 120 receives user input indicating a selection of a preferred authorised user device from the received nominee list. At item S9c, the second user device 120 transmits data indicating the preferred authorised user device to the access control equipment 130. In this example, the preferred authorised user device is the first user device 110.
At item S9d, the access control equipment 130 transmits data to the first user device 110. The data indicates that an authentication decision relating to the user of the second user device 120 is requested.
At item S9e, the first user device 110 receives user input indicating that the user of the first user device 110 is willing to provide an authentication decision relating to the user of the second user device 120.
At item S9f, the first user device 110 transmits a communication identifier associated with the first user device 110 to the access control equipment 130. In other examples, the first user device 110 transmits the communication identifier to the second user device 120.
At item S9g, the access control equipment 130 transmits first input data to the second user device 120.
At item S9h, the access control equipment 130 transmits second input data to the first user device 110.
At item S9i, the second user device 120 processes the first input data using the data processing element 230 located at the second user device 120 to obtain processed first input data.
At item S9j, the second user device 120 transmits the processed first input data to the first user device 110. The second user device 120 may transmit the processed first input data to the first user device 110 based on the communication identifier associated with the first user device 110. The second user device 120 may additionally transmit further input data to the first user device 110.
At item S9k, the first user device 110 processes the second input data using the data processing element 220 located at the first user device 110 to obtain processed second input data.
At item S91, the first user device 110 performs an authentication response operation to derive authentication response data. The authentication response operation receives as inputs the processed first input data, the processed second input data, and data indicative of a result of an authentication decision made by a user of the first user device 110.
At item S9m, the first user device 110 transmits the authentication response data to the access control equipment 130.
At item S9n, the access control equipment 130 compares the received authentication response data with expected authentication response data for the given authentication request.
At item S9o, the access control equipment 130 transmits data to the second user device 120. The transmitted data indicates whether or not the second user device 120 has been granted access to the at least one resource based on the comparison performed at item S9n.
Referring to Figure 10, there is shown schematically an example of a secure framework 1000 to generate authentication response data to facilitate access control of resources. The secure framework 1000 involves a first user device 110, a second user device 120 and an access control equipment 130, as described above. The first user device 110 includes a first data processing element 220. The second user device 120 includes a second data processing element 230.
In this example, the access control equipment 130 transmits data 1010 to the second user device 120. The data 1010 includes pre-processed first input data, eSA1, and third input data, eSB1. The pre-processed first input data, eSA1, and the third input data, eSB1, are encrypted.
In this example, the access control equipment 130 transmits data 1020 to the first user device 110. The data 1020 includes second input data, eSA2, and fourth input data, eSB2. The second input data, eSA2, and the fourth input data, eSB2, are encrypted.
In this example, the second user device 120 processes the pre-processed first input data, eSA1, using the second data processing element 230 located at the second user device 120 to obtain processed first input data, SA1. The second data processing element 230 may be a decryption key, K(eSA1) and the processing of the pre-processed first input data, eSA1, may involve decrypting the first input data, eSA1, using the decryption key K(eSA1). Consequently, the processed first input data may comprise decrypted first input data, SA1. The third input data, eSB1, is not processed using the data processing element 230 in this example.
In this example, the second user device 120 transmits data 1025 to the first user device 1 10. Data 1025 includes the decrypted first input data, SA1, and the third input data, eSB1.
The first user device 1 10 processes the second input data, eSA2, using the first data processing element 220 located at the first user device 110 to obtain processed second input data, SA2. The first data processing element 220 may be a decryption key, K(eSA2), and the processing of the second input data, eSA2, may involve decrypting the second input data, eSA2, using the decryption key K(eSA2). Consequently, the processed second input data may comprise decrypted second input data, SA2.
In this example, the first user device 110 combines the received decrypted first input data, SA1, and the decrypted second input data, SA2, to derive combined decrypted input data 1030. The combined decrypted input data 1030 is input to one or more algorithms 1035 to derive a first authentication data element 1040. The first authentication data element 1040 may comprise a decryption key, K. The first user device 110 also combines the received third input data, eSB1, with the fourth input data, eSB2 to derive combined encrypted data 1050. The combined encrypted data 1050 is input to one or more algorithms 1060. The one or more algorithms 1060 may be the same as or different from the one or more algorithms 1035. The first authentication data element 1040 is also input to the one or more algorithms 1060 to derive a second authentication data element 1070. The second authentication data element 1070 may be a verification code, VCOde. Using the one or more algorithms 1060 to derive the second authentication data element 1070 may involve using the decryption key, K, to decrypt the combined encrypted data 1050. The second authentication data element 1070 may therefore based on the decrypted combined data 1050.
The second authentication data element 1070 is input to one or more algorithms 1080. The one or more algorithms 1080 may be the same as or different from the one or more algorithms 1035 and/or the one or more algorithms 1060. Data, infoAUTH, indicative of a result of an authentication decision made by the user of the first user device 110 is also input to the one or more algorithms 1080 to derive authentication response data, ResponseAirra, 1090. A message authentication code (MAC) may also be input to the one or more algorithms 1080 to derive the authentication response data 1090. The MAC may be constructed using a cryptographic hash function.
The authentication response data 1090 may be transmitted by the first user device 110 to the access control equipment 130 to enable the access control equipment to perform an access control operation relating to one or more resources, as described above. Since the access control equipment 130 is aware of the various parameters used as part of the secure framework, for example the first, second, third and fourth input data, the first and second data processing elements 220, 230, etc., the access control equipment 130 can determine what authentication response data 1090 should result from the secure authentication process. Therefore, if the authentication response data 1090 matches expected authentication response data for a given authentication request, the access control equipment 130 is assured that data has been processed and relayed securely.
Referring to Figure 11, there is shown schematically an example of a data communication system 1100. The data communication system 1100 includes a plurality of user devices.
In this example, user device 1110 is a user device requesting access to at least one resource. For example, user device 1110 may be the second user device 120 as described above. Each of the associated user devices 1111, 1112, 1113, 1114, 1115, 1116, 1117 and 1118 may be authorised to perform authentication for a user of the second user device 1110 for a given authentication request. In this example, user devices 1111, 1114, 1115, 1117 and 1118 are available for performing authentication, in other words they are online and/or are able to participate in a communication session. User devices 1112, 1113 and 1116 are not available for performing authentication, in other words they are offline and/or are unable to participate in a communication session.
In this example, the second user device 1110 receives a list of candidates for performing authentication. The list of candidates is displayed to a user of the second user device 1110. The user of the second user device 1110 may be known as the requesting user. The list of candidates comprises information relating to each available authorised user device. In some examples, the list of candidates comprises the names of one or more users of each available authorised user device. According to some examples, the list of candidates is associated with a given authentication request. In one example, the list of candidates varies between different authentication requests. The requesting user may select a chosen candidate from the list of available candidates. The chosen candidate may then perform authentication as described above.
The user devices and/or the users of the user devices which are authorised to perform authentication for a given authentication request may be known by the requesting user. In some examples, the authorised users may comprise friends, relatives, colleagues or other individuals from within the social circle of the requesting user. The authorised users may therefore be said to form a "trust circle" for the requesting user. These users may be "trusted" to perform authentication for the requesting user. Consequently, an access control equipment 130 or other entity tasked with determining whether to grant access to a requested resource can delegate the responsibility of making the authentication decision to the "trusted" user.
One or more members of the requesting user's "trust circle" may additionally possess their own "trust circle" of users. In the example data communication system 1100, user devices 1119, 1120 and 1121 are authorised to perform authentication for the user of user device 1118. The users of user devices 1119, 1120 and 1121 may therefore be said to form part of the "trust circle" of the user of user device 1118. In this example, user devices 1119 and 1121 are available, for example online, and user device 1120 is unavailable, for example offline. In some examples, users and/or user devices which are not directly connected to a requesting user may still be authorised to perform authentication relating to the requesting user. For example, the users of user devices 1119, 1120 and 1121 may be authorised to perform authentication for the user of the second user device 1110, even though they are not within the immediate "trust circle" of the user of user device 1110.
In some examples, information relating to the "trust circle" for a given user is stored at the user device of the given user. In the example data communication system 1100, details of user devices 1111, 1112, 1113, 1114, 1115, 1116, 1117 and 1118 may be located at user device 1110. In other examples, information relating to the "trust circle" for a given user is stored remotely, for example at the access control equipment 130.
In some examples, a user and/or a user device is registered with an access control equipment before the user and/or the user device can be authorised to perform authentication. The user and/or user device may be nominated for registration by a requesting user. The requesting user may already be registered with the access control equipment. In some examples, the user and/or user device may be nominated for registration by the access control equipment 130. For example, the access control equipment 130 may determine one or more appropriate users to nominate for registration for a given requesting user. Once registered, the user and/or user device may be placed in a "trust circle" for the given requesting user, and may, if selected by the requesting user, be given the authority to make authentication decisions for the requesting user.
In some examples, one or more members of the requesting user's "trust circle" of authorised user devices are user devices belonging to the requesting user. In other words, the requesting user may be able to nominate one of his/her own user devices to be authorised to perform authentication for another of his/her own user devices. The requesting user's nominated user device, in other words the "secondary" user device, may be registered with the access control equipment 130 using a one-time passcode, a Quick Response (QR) code, a near field communication (NFC) system, etc.
In some examples, a trust baseline is created between a user and the access control equipment 130 or one or more further entities. The one or more further entities may include a business, for example an online bank. The trust baseline may be created using a best practice authentication method to register the user on one of the user's preferred devices. The trust baseline may be created through the use of one or more physical or digital keys. User-mediated authentication may be adopted by the one or more further entities, without the need for a multi-factor authentication model to be in place. The starting trust baseline for user-mediated authentication effectively represents the limits of current authentication technology, excluding the use of biometrics, which carry inherent risks as described above. Once a user has a registered device, the user can liaise with the user's "trust circle(s)" and/or the one or more further entities to register other devices and/or users. The registration of other devices and/or users may be mediated by the access control equipment 130. Once identity verification nominees accept a nomination and are subsequently approved by a user as valid, the nominees may register additional devices they use and, in turn, the identity verification nominees may nominate their own identity verification nominees. This social network may be managed by the access control equipment 130. The social network may be independent of any individual business entity. Users may therefore nominate individuals not directly associated with the business in question. A given business may therefore benefit from a user's nominated authenticity verification "trust circle" without bearing the cost and/or responsibilities of performing user authentication themselves.
In some examples, a user entering into a new relationship with a given business can permit the given business to make use of the user's pre-existing authentication "trust circles". Authentication may be brokered between a user and a business in realtime, resulting in the business receiving a secure authentication approval or rejection message, based on the response and/or decision of the user' s own authenticity nominees and/or the user's own approved secondary device(s). In some examples, a given business can qualify a user' s acceptance of responsibility to participate in user-mediated authentication, for example by presenting the user with terms and conditions.
Referring to Figure 12, there is shown schematically an example of a graphical user interface 1200.
In the example of Figure 12, the graphical user interface 1200 is associated with the second user device 1110. A nominee list 1205 is obtained by the second user device 1110. The nominee list 1205 may be received from the access control entity 130. The nominee list 1205 is displayed to the user of the second user device 1110 via the graphical user interface 1200. The nominee list 1205 comprises information indicating one or more user devices that are authorised to perform authentication relating to the user of the second user device 1110. In some examples, the nominee list 1205 comprises information indicating only those authorised user devices that are available, in other words online and/or able to participate in a communication session. The nominee list 1205 may comprise information indicating both available and unavailable authorised user devices. The nominee list 1205 may additionally include information indicating whether a given authorised user device is available or unavailable. In some examples, the nominee list 1205 comprises one or more fields to allow the user of the second user device 1110 to nominate a new user device, in other words a user device not presently authorised to perform authentication relating to the user of the second user device 1110.
In this example, the nominee list 1205 displayed to the user of the second user device 1110 comprises information indicating user devices 1111, 1114, 1115, 1117 and 1118. In some examples, at least one of user devices 1111, 1114, 1115, 1117 and 1118 may be associated with the user of the second user device 1110. In other words, the user of the user device upon which the nominee list 1205 is displayed may be the same as the user of one or more of the user devices included in the nominee list 1205. The information indicating a given authorised user device may comprise the name of a user of the given authorised user device. In some examples, the information indicating a given authorised user device comprises an indication of one or more communication capabilities of the given authorised user device. For example, whether or not a given authorised user device is capable of participating in a real-time video and/or voice call may be indicated. In some examples, the information indicating a given authorised user device comprises indication of whether the given authorised user device is online.
A user of the user device upon which the nominee list 1205 is displayed can select a preferred authorised user device to facilitate authentication. The selection may be received at the user device via user input, for example using a touchscreen, mouse, keyboard and/or automatic voice recognition, etc. Data indicating the selection of the preferred authorised user device may be transmitted to the access control equipment 130 to facilitate the establishment of one or more communication sessions between the preferred authorised user device and the user device upon which the nominee list 1205 is displayed. In some examples, a user of the user device upon which the nominee list 1205 is displayed can select more than one preferred authorised user device. If one preferred authorised user device does not respond to a request to facilitate authentication and/or is not able to participate in a communication session with the user device upon which the nominee list 1205 is displayed, another preferred authorised user device may be contacted. In some examples, a preferred authorised user device to facilitate authentication is selected by the access control equipment 130. The access control equipment 130 may select a preferred authorised user device based on one or more authority constraints. The one or more authority constraints may provide an indication of a required authority level of an authorising user for a given authentication request. The one or more authority constraints may include rules, roles and/or filters. The one or more authority constraints may include a requirement that more than one authorised user device performs authentication for a given user and/or for a given authentication request. The one or more authority constraints may be configured by and/or supplied by one or more further entities, for example an e-Business, online bank, etc. The access control equipment 130 may transmit data indicating the selection of the preferred authorised user to the user device upon which the nominee list 1205 is displayed. The user of the user device upon which the nominee list 1205 is displayed may then be requested to confirm the selection of the preferred authorised user device.
In some examples, the user of the user device upon which the nominee list 1205 is displayed and the access control equipment 130 cooperate to select a preferred authorised user device to facilitate authentication. For example, the user of the user device upon which the nominee list 1205 is displayed may select two users, Fl and F2, who are known to the user of the user device upon which the nominee list 1205 is displayed. The access control equipment 130 may determine whether each of the selected users, Fl and F2, has a registered device which is available and/or authorised to facilitate authentication. The access control equipment 130 may, for example, determine that user Fl has an available and authorised smartphone device, whereas user F2 does not have an authorised device available. The access control equipment 130 may therefore select the device of user F 1 as the preferred authorised user device to facilitate authentication. In some examples, the access control equipment 130 transmits data to the user device upon which the nominee list 1205 is displayed, the data indicating that user Fl, but not user F2, is able to facilitate authentication.
If no authorised user device is available for the given authentication request, the access control equipment 130 may notify the one or more further entities accordingly. The access control equipment 130 may notify the one or more further entities using a secure message. The one or more further entities may then decide whether to use an alternative authentication method for the given authentication request, or whether to reject the given authentication request.
Referring to Figure 13, there is shown schematically an example of an apparatus 1300.
In some examples, the apparatus 1300 is data processing equipment. Examples of data processing equipment include, but are not limited to, a mobile computer, a personal computer system, a wireless device, base station, phone device, user device, access control equipment, desktop computer, laptop, notebook, netbook computer, mainframe computer system, handheld computer, workstation, network computer, application server, storage device, a consumer electronics device such as a camera, camcorder, mobile device, video game console, handheld video game device, a peripheral device such as a switch, modem, router, etc., or in general any type of computing or electronic device.
In this example, the apparatus 1300 comprises one or more processors 1301 configured to process information and/or instructions. The one or more processors 1301 may comprise a central processing unit (CPU). The one or more processors 1301 are coupled with a bus 1302. Operations performed by the one or more processors 1301 may be carried out by hardware and/or software. The one or more processors 1301 may comprise multiple co-located processors or multiple disparately located processors.
In this example, the apparatus 1300 comprises computer-useable volatile memory 1303 configured to store information and/or instructions for the one or more processors 1301. The computer-useable volatile memory 1303 is coupled with the bus 1302. The computer-useable volatile memory 1303 may comprise random access memory (RAM).
In this example, the apparatus 1300 comprises computer-useable non-volatile memory 1304 configured to store information and/or instructions for the one or more processors 1301. The computer-useable non-volatile memory 1304 is coupled with the bus 1302. The computer-useable non-volatile memory 1304 may comprise read-only memory (ROM). In this example, the apparatus 1300 comprises one or more data-storage units
1305 configured to store information and/or instructions. The one or more data-storage units 1305 are coupled with the bus 1302. The one or more data- storage units 1305 may for example comprise a magnetic or optical disk and disk drive or a solid-state drive (SSD).
In this example, the apparatus 1300 comprises one or more input/output (I/O) devices 1306 configured to communicate information to and/or from the one or more processors 1301. The one or more I/O devices 1306 are coupled with the bus 1302. The one or more I/O devices 1306 may comprise at least one network interface. The at least one network interface may enable the apparatus 1300 to communicate via one or more data communications networks. Examples of data communications networks include, but are not limited to, the Internet and a LAN. The one or more I/O devices
1306 may enable a user to provide input to the apparatus 1300 via one or more input devices (not shown). The one or more input devices may include for example a remote control, one or more physical buttons etc. The one or more I/O devices 1306 may enable information to be provided to a user via one or more output devices (not shown). The one or more output devices may for example include a display screen.
Various other entities are depicted for the apparatus 1300. For example, when present, an operating system 1307, data processing module 1308, one or more further modules 1309, and data 1310 are shown as residing in one, or a combination, of the computer-usable volatile memory 1303, computer-usable non- volatile memory 1304 and the one or more data-storage units 1305. The data processing module 1308 may be implemented by way of computer program code stored in memory locations within the computer-usable non- volatile memory 1304, computer-readable storage media within the one or more data-storage units 1305 and/or other tangible computer-readable storage media. Examples of tangible computer-readable storage media include, but are not limited to, an optical medium (e.g., CD-ROM, DVD-ROM), flash memory card, floppy or hard disk or any other medium capable of storing computer readable instructions such as firmware or microcode in at least one ROM or RAM or Programmable ROM (PROM) chips or as an Application Specific Integrated Circuit (ASIC). The apparatus 1300 may therefore comprise a data processing module 1308 which can be executed by the one or more processors 1301. The data processing module 1308 can be configured to include instructions to implement at least some of the operations described herein. During operation, the one or more processors 1301 launch, run, execute, interpret or otherwise perform the instructions in the data processing module 1308.
Although at least some aspects of the examples described herein with reference to the drawings comprise computer processes performed in processing systems or processors, examples described herein also extend to computer programs, for example computer programs on or in a carrier, adapted for putting the examples into practice. The carrier may be any entity or device capable of carrying the program.
It will be appreciated that the apparatus 1300 may comprise more, fewer and/or different components from those depicted in Figure 13.
The apparatus 1300 may be located in a single location or may be distributed in multiple locations. Such locations may be local or remote.
The techniques described herein may be implemented in software or hardware, or may be implemented using a combination of software and hardware. They may include configuring an apparatus to carry out and/or support any or all of techniques described herein.
Various measures (methods, apparatuses, computer software, computer program products and systems) are provided to facilitate authentication at a user device relating to a user of at least one further user device. The at least one further user device is in a data communication system. The data communication system comprises a group of data processing entities. The group of data processing entities comprises access control equipment and the at least one further user device. First and second input data are received from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device. The received second input data is processed using a second data processing element to obtain processed second input data. The second data processing element is located at the user device. An authentication response operation is performed to derive authentication response data. The authentication response operation has as inputs the received first input data, the processed second input data, and data indicative of a result of an authentication decision made by a user of the user device. The authentication decision relates to the user of the at least one further user device. The derived authentication response data is outputted for transmission to at least one data processing entity in the group of data processing entities. Outputting the derived authentication response data enables the access control equipment to perform an access control operation. The access control operation relates to at least one resource. The access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
The first input data may be received from the at least one further user device.
The second input data may be received from the access control equipment.
The second data processing element may be determined by cooperating with the access control equipment.
The derived authentication response data may be outputted for transmission to the access control equipment.
At least one of the inputs to the authentication response operation and/or the second data processing element may vary between at least some different authentication requests.
At least one of the inputs to the authentication response operation and/or the second data processing element may vary non-deterministically between at least some different authentication requests.
The authentication response operation may be performed by using at least the received first input data and the processed second input data to obtain a first authentication data element. The first authentication data element may be used to derive the authentication response data.
The authentication response operation may be performed by using at least the first authentication data element and further input data received from at least one of the data processing entities in the group of data processing entities to derive the authentication response data. The further input data may comprise third input data. The third input data may be received from the at least one further user device.
The further input data may comprise fourth input data. The fourth input data may be received from the access control equipment.
The authentication response operation may be performed by using the second authentication data element and at least one further data item to derive the authentication response data.
The at least one further data item may comprise data indicative of the result of the authentication decision. The at least one further data item may comprise a message authentication code.
The second input data may be in an encrypted form when received by the user device. The second data processing element may comprise a decryption key. The second input data may be processed by decrypting the second input data using the decryption key.
At least one communication session may be established with the at least one further user device to facilitate the authentication of the user of the at least one further user device by the user of the user device.
The at least one communication session may comprise a real-time communication session.
The real-time communication session may be in accordance with Real-time
Communication, RTC.
The real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
The at least one communication session may comprise a video call. The at least one communication session may comprise a voice call.
The at least one communication session may be a peer-to-peer communication session.
A communication identifier may be outputted for transmission to at least one data processing entity in the group of data processing entities. The communication identifier may be associated with the user device. The communication identifier may be used to facilitate establishment of the at least one communication session with the at least one further user device.
The communication identifier associated with the user device may be outputted for transmission to the access control equipment.
Data indicative of the result of the authentication decision made by the user of the user device may be derived based on user input received via a user interface associated with the user device.
The user of the user device may be the same as the user of the at least one further user device.
Data comprising a one-time passcode may be received from at least one data processing entity in the group of data processing entities.
The data comprising the one-time passcode may be received from the access control equipment.
Data comprising the one-time passcode may be outputted for transmission to the at least one further user device.
Various measures (methods, apparatuses, computer software, computer program products and systems) are provided to facilitate access control at an access control equipment relating to at least one resource in a data communication system. The data communication system comprises a group of data processing entities. The group of data processing entities comprises a first user device and at least one further user device. First and second data are transmitted to at least one data processing entity in the group of data processing entities. Authentication response data is received from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation. The authentication response operation has as a first input first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment. The authentication response operation has as a second input second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment. The authentication response operation has as a third input data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device. An authentication result is determined based on a comparison of the received authentication response data with expected authentication response data. An access control operation relating to the at least one resource is performed based on the determined authentication result.
The first data may be transmitted to the at least one further user device.
The second data may be transmitted to the first user device.
The first data processing element and/or the second data processing element may be determined by cooperating with the first user device and/or the at least one further user device.
The authentication response data may be received from the first user device.
At least one of the inputs to the authentication response operation and/or the second data processing element may vary between at least some different authentication requests.
At least one of the inputs to the authentication response operation and/or the second data processing element may vary non-deterministically between at least one different authentication requests.
The first data and/or the second data may be transmitted to the at least one data processing entity in the group of data processing entities in encrypted form.
Establishment of at least one communication session between the first user device and the at least one further user device may be coordinated to facilitate the authentication of the user of the at least one further user device by the user of the first user device.
The at least one communication session may comprise a real-time communication session.
The real-time communication session may be in accordance with Real-time Communication, RTC.
The real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
The at least one communication session may comprise a video call. The at least one communication session may comprise a voice call. The at least one communication session may be a peer-to-peer communication session.
Establishment of the at least one communication session may be coordinated in response to receiving a communication identifier from at least one data processing entity in the group of data processing entities. The communication identifier may be associated with the first user device.
The communication identifier associated with the first user device may be received from the first user device.
Data indicating at least one user device authorised to be used to facilitate the authentication relating to the user of the at least one further user device may be transmitted to the at least one further user device. The at least one authorised user device may include at least the first user device.
Data indicating at least one user authorised to facilitate the authentication relating to the user of the at least one further user device may be transmitted to the at least one further user device. The at least one authorised user includes at least the user of the first user device.
Availability of at least one authorised user and/or at least one authorised user device may be determined. Data identifying only those authorised users and/or authorised user devices that are determined to be available may be transmitted to the at least one further user device.
The user of the first user device may be the same as the user of the at least one further user device.
Data comprising a one-time passcode may be transmitted to at least one data processing entity in the group of data processing entities.
The data comprising the one-time passcode may be transmitted to the first user device.
Various measures (methods, apparatuses, computer software, computer program products and systems) are provided to facilitate access, at a user device, to at least one resource in a communication system. The communication system comprises a group of data processing entities. The group of data processing entities comprises at least one further user device and access control equipment. First data is received from at least one data processing entity in the group of data processing entities. The received first data is processed using a first data processing element located at the user device to obtain first input data. The first input data is outputted for transmission to at least one data processing entity in the group of data processing entities. Outputting the first input data allows the at least one further user device to perform an authentication response operation to derive authentication response data. The authentication response operation has as a first input the first input data. The authentication response operation has as a second input second input data obtained by the at least one further user device using a second data processing element located at the least one further user device. The authentication response operation has a third input data indicative of a result of an authentication decision made by a user of the at least one further user device. The authentication decision relates to a user of the user device. The access control equipment is able to perform an access control operation relating to the at least one resource. The access control operation is based on a comparison of the derived authentication response data with expected authentication response data.
The first data may be received from the access control equipment.
The first input data may be outputted for transmission to the at least one further user device.
The first data processing element may be determined by cooperating with the access control equipment.
At least one of the inputs to the authentication response operation and/or the first data processing element may vary between at least some different authentication requests.
At least one of the inputs to the authentication response operation and/or the first data processing element may vary non-deterministically between at least some different authentication requests.
The first data may be in an encrypted form when received by the user device. The first data processing element may comprise a decryption key. The first data may be processed by decrypting the first input data using the decryption key. At least one communication session may be established with the at least one further user device to facilitate the authentication of the user of the user device by at least one user of the at least one further user device.
The at least one communication session may comprise a real-time communication session.
The real-time communication session may be in accordance with Real-time Communication, RTC.
The real-time communication session may be in accordance with Web Realtime Communication, WebRTC.
The at least one communication session may comprise a video call. The at least one communication session may comprise a voice call.
The at least one communication session may be a peer-to-peer communication session.
The at least one communication session may be established in response to receiving at least one communication identifier from at least one data processing entity in the group of data processing entities. The at least one communication identifier may be associated with the at least one further user device.
The at least one communication identifier associated with the at least one further user device may be received from the at least one further user device.
The at least one communication identifier associated with the at least one further user device may be received from the access control equipment.
Data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the user device may be obtained for display to the user of the user device. The at least one authorised user device may include the at least one further user device.
Data indicating at least one user authorised to facilitate authentication relating to the user of the user device may be obtained for display to the user of the user device. The at least one authorised user may include the user of the at least one further user device.
Data indicating only those authorised users and/or authorised user devices that are available for communication may be obtained for display. The user of the user device may be the same as the user of the at least one further user device.
The user device may determine whether establishment of a real-time communication session is allowed between the user device and the at least one further user device. The determination may be based on an identity of the at least one further user device.
Establishment of a real-time communication session may not be allowed if the user of the user device is the same as the user of the at least one further user device.
Data comprising a one-time passcode may be outputted for transmission to at least one data processing entity in the group of data processing entities. Outputting the data comprising the one-time passcode may be based on receiving user input at the user device.
The data comprising the one-time passcode may be outputted for transmission to the access control equipment.
The data comprising the one-time passcode may be outputted in response to receiving data comprising the one-time passcode from the at least one further user device.
It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.
In some examples described above, authentication is performed in relation to a user of a user device by a user of another user device. In some examples, authentication is performed in relation to a user of a user device by one or more users of one or more further user devices. Using multiple users and/or further user devices to perform authentication may increase the likelihood of the correct authentication decision being made by the authentication users. For example, where multiple users have independently authenticated a given user, the access control equipment 130 may have an increased confidence that the given user has been correctly authenticated. In some examples, multi-party multi-device authentication verification is enabled. Step-up role rules may be used, for example in instances where a given authentication request requires one or more secondary authentication decisions from particular users. The step- up role rules may be configured and/or supplied by a given business entity. In some examples, the step-up role rules may be configured and/or supplied by one or more account administrators. The step-up role rules may be associated with a given authentication request. For example, a transaction relating to a first amount of money requires authentication from a supervising user, whereas a transaction relating to a second amount of money, greater than the first amount of money, requires authentication from a company chief financial officer (CFO) and/or chief executive officer (CEO). If conventional authentication were used, and the CFO and/or the CEO did not have their conventional business-supplied passcode generators to hand, the given transaction would probably not be paid. Using user-mediated authentication, however, means that arbitrary constraints imposed by requiring access to specific passcode generating hardware or using sensitive mobile/browser banking apps in untrusted environments need not be applied.
In some examples, participant honesty is scored, rated and/or regulated to allow a business to determine whether a user is acceptable for user-mediated authentication. The business can determine user acceptability using any appropriate metric or decision- making procedure.
Secure user-mediated authentication may be provided to businesses and/or individual users via software adapters, plugins, browsers, mobile applications, software development kits for third party applications, etc. The linking of social network schematics with "trust circles" of authenticity verification nominees and/or their devices, together with rule and role based nominee selection, is well suited to multiparty authentication models such as corporate and conventional multi-signatory accounts, without the inherent constraints, particularly in the area of online banking, that all participants may be required to have a relationship with the bank in question. Moreover, user-mediated authentication frees the business or banking entity from the liabilities and costs associated with business-mediated authentication, while affording users a more natural real-world trust-centric authentication model that is portable across different businesses and business relationships and is inherently more secure than conventional authentication and transaction approval systems, without incurring the inherent risks associated with biometrics.

Claims

Claims
1. A method, performed by a user device, of facilitating authentication relating to a user of at least one further user device in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
access control equipment; and
the at least one further user device,
the method comprising, at the user device:
receiving first and second input data from at least one data processing entity in the group of data processing entities, the first input data having been obtained by the at least one further user device using a first data processing element located at the at least one further user device;
processing the received second input data using a second data processing element located at the user device to obtain processed second input data;
performing an authentication response operation to derive authentication response data, the authentication response operation having as inputs:
the received first input data,
the processed second input data, and
data indicative of a result of an authentication decision made by a user of the user device relating to the user of the at least one further user device; and
outputting the derived authentication response data for transmission to at least one data processing entity in the group of data processing entities to enable the access control equipment to perform an access control operation relating to at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
2. A method according to claim 1, the method comprising receiving the first input data from the at least one further user device.
3. A method according to claim 1 or 2, the method comprising receiving the second input data from the access control equipment.
4. A method according to any of claims 1 to 3, the method comprising cooperating with the access control equipment to determine the second data processing element.
5. A method according to any of claims 1 to 4, the method comprising outputting the derived authentication response data for transmission to the access control equipment.
6. A method according to any of claims 1 to 5, wherein at least one of the inputs to the authentication response operation and/or the second data processing element varies between at least some different authentication requests.
7. A method according to any of claims 1 to 6, wherein at least one of the inputs to the authentication response operation and/or the second data processing element varies non-deterministically between at least some different authentication requests.
8. A method according to any of claims 1 to 7, the method comprising performing the authentication response operation by:
using at least the received first input data and the processed second input data to obtain a first authentication data element; and
using the first authentication data element to derive the authentication response data.
9. A method according to claim 8, the method comprising performing the authentication response operation by using at least the first authentication data element and further input data received from at least one of the data processing entities in the group of data processing entities to derive the authentication response data.
10. A method according to claim 9, wherein the further input data comprises third input data, the method comprising receiving the third input data from the at least one further user device.
11. A method according to claim 9 or 10, wherein the further input data comprises fourth input data, the method comprising receiving the fourth input data from the access control equipment.
12. A method according to any of claims 9 to 11, the method comprising performing the authentication response operation by using the second authentication data element and at least one further data item to derive the authentication response data.
13. A method according to claim 12, wherein the at least one further data item comprises the data indicative of the result of the authentication decision and/or a message authentication code.
14. A method according to any of claims 1 to 13, wherein the second input data is in an encrypted form when received by the user device, wherein the second data processing element comprises a decryption key, and wherein the method comprises processing the second input data by decrypting the second input data using the decryption key.
15. A method according to any of claims 1 to 14, the method comprising establishing at least one communication session with the at least one further user device to facilitate the authentication of the user of the at least one further user device by the user of the user device.
16. A method according to claim 15, wherein the at least one communication session comprises a real-time communication session.
17. A method according to claim 16, wherein the real-time communication session is in accordance with Real-time Communication, RTC.
18. A method according to claim 17, wherein the real-time communication session is in accordance with Web Real-time Communication, WebRTC.
19. A method according to any of claims 15 to 18, wherein the at least one communication session comprises a video call and/or a voice call.
20. A method according to any of claims 15 to 19, wherein the at least one communication session is a peer-to-peer communication session.
21. A method according to any of claims 15 to 20, the method comprising outputting a communication identifier associated with the user device for transmission to at least one data processing entity in the group of data processing entities to facilitate establishment of the at least one communication session with the at least one further user device.
22. A method according to claim 21, the method comprising outputting the communication identifier associated with the user device for transmission to the access control equipment.
23. A method according to any of claims 1 to 22, the method comprising deriving the data indicative of the result of the authentication decision made by the user of the user device based on user input received via a user interface associated with the user device.
24. A method according to any of claims 1 to 23, wherein the user of the user device is the same as the user of the at least one further user device.
25. A method according to any of claims 1 to 24, the method comprising receiving data comprising a one-time passcode from at least one data processing entity in the group of data processing entities.
26. A method according to claim 25, the method comprising receiving the data comprising the one-time passcode from the access control equipment.
27. A method according to claim 25 or 26, the method comprising outputting data comprising the one-time passcode for transmission to the at least one further user device.
28. A user device configured to perform a method according to any of claims
1 to 27.
29. Computer software adapted to perform a method to any of claims 1 to
27.
30. A computer program product comprising a non-transitory computer- readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method according to any of claims 1 to 27.
31. A method, performed by an access control equipment, of facilitating access control relating to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
first user device; and at least one further user device,
the method comprising, at the access control equipment:
transmitting first and second data to at least one data processing entity in the group of data processing entities;
receiving authentication response data from at least one data processing entity in the group of data processing entities, the authentication response data having been derived at the first user device by performing an authentication response operation, the authentication response operation having, as inputs:
first input data obtained by the at least one further user device using a first data processing element located at the at least one further user device and the first data transmitted by the access control equipment;
second input data obtained by the first user device using a second data processing element located at the first user device and the second data transmitted by the access control equipment; and
data indicative of a result of an authentication decision made by a user of the first user device relating to a user of the at least one further user device;
determining an authentication result based on a comparison of the received authentication response data with expected authentication response data; and
performing an access control operation relating to the at least one resource based on the determined authentication result.
32. A method according to claim 31, the method comprising transmitting the first data to the at least one further user device.
33. A method according to claim 31 or 32, the method comprising transmitting the second data to the first user device.
34. A method according to any of claims 31 to 33, the method comprising cooperating with the first user device and/or the at least one further user device to determine the first data processing element and/or the second data processing element.
35. A method according to any of claims 31 to 34, the method comprising receiving the authentication response data from the first user device.
36. A method according to any of claims 31 to 35, the method comprising varying at least one of the inputs to the authentication response operation and/or the second data processing element between at least some different authentication requests.
37. A method according to any of claims 31 to 36, the method comprising varying at least one of the inputs to the authentication response operation and/or the second data processing element non-deterministically between at least some different authentication requests.
38. A method according to any of claims 31 to 37, the method comprising transmitting the first data and/or the second data to the at least one data processing entity in the group of data processing entities in encrypted form.
39. A method according to any of claims 31 to 38, the method comprising coordinating establishment of at least one communication session between the first user device and the at least one further user device to facilitate the authentication of the user of the at least one further user device by the user of the first user device.
40. A method according to claim 39, wherein the at least one communication session comprises a real-time communication session.
41. A method according to claim 40, wherein the real-time communication session is in accordance with Real-time Communication, RTC.
42. A method according to claim 40, wherein the real-time communication session is in accordance with Web Real-time Communication, WebRTC.
43. A method according to any of claims 39 to 42, wherein the at least one communication session comprises a video call and/or a voice call.
44. A method according to any of claims 39 to 43, wherein the at least one communication session is a peer-to-peer communication session.
45. A method according to any of claims 39 to 44, the method comprising coordinating the establishment of the at least one communication session in response to receiving a communication identifier associated with the first user device from at least one data processing entity in the group of data processing entities.
46. A method according to claim 45, the method comprising receiving the communication identifier associated with the first user device from the first user device.
47. A method according to any of claims 31 to 46, the method comprising transmitting data indicating at least one user device authorised to be used to facilitate the authentication relating to the user of the at least one further user device to the at least one further user device, the at least one authorised user device including at least the first user device.
48. A method according to any of claims 31 to 46, the method comprising transmitting data indicating at least one user authorised to facilitate the authentication relating to the user of the at least one further user device to the at least one further user device, the at least one authorised user including at least the user of the first user device.
49. A method according to claim 47 or 48, the method comprising determining availability of at least one authorised user and/or at least one authorised user device and transmitting data to the at least one further user device identifying only those authorised users and/or authorised user devices that are determined to be available.
50. A method according to any of claims 31 to 49, wherein the user of the first user device is the same as the user of the at least one further user device.
51. A method according to any of claims 31 to 50, the access control equipment being configured to transmit data comprising a one-time passcode to at least one data processing entity in the group of data processing entities.
52. A method according to claim 51, method comprising transmitting the data comprising the one-time passcode to the first user device.
53. An access control equipment configured to perform a method according to any of claims 31 to 52.
54. Computer software adapted to perform a method according to any of claims 31 to 52.
55. A computer program product comprising a non-transitory computer- readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perfonii a method according to any of claims 31 to 52.
56. A method, performed by a user device, of facilitating access to at least one resource in a data communication system, the data communication system comprising:
a group of data processing entities, the group of data processing entities comprising:
at least one further user device; and
access control equipment, the method comprising, at the user device:
receiving first data from at least one data processing entity in the group of data processing entities;
processing the received first data using a first data processing element located at the user device to obtain first input data; and
outputting the first input data for transmission to at least one data processing entity in the group of data processing entities to allow the at least one further user device to perform an authentication response operation to derive authentication response data, the authentication response operation having as inputs the first input data, second input data obtained by the at least one further user device using a second data processing element located at the at least one further user device, and data indicative of a result of an authentication decision made by a user of the at least one further user device relating to a user of the user device, wherein the access control equipment is able to perform an access control operation relating to the at least one resource based on a comparison of the derived authentication response data with expected authentication response data.
57. A method according to claim 56, the method comprising receiving the first data from the access control equipment.
58. A method according to claim 56 or 57, the method comprising outputting the first input data for transmission to the at least one further user device.
59. A method according to any of claims 56 to 58, the method comprising cooperating with the access control equipment to determine the first data processing element.
60. A method according to any of claims 56 to 59, wherein at least one of the inputs to the authentication response operation and/or the first data processing element varies between at least some different authentication requests.
61. A method according to any of claims 56 to 60, wherein at least one of the inputs to the authentication response operation and/or the first data processing element varies non-deterministically between at least some different authentication requests.
62. A method according to any of claims 56 to 61, wherein the first data is in an encrypted form when received by the user device, wherein the first data processing element comprises a decryption key, and wherein the method comprises processing the first data by decrypting the first data using the decryption key.
63. A method according to any of claims 56 to 62, the method comprising establishing at least one communication session with the at least one further user device to facilitate the authentication of the user of the user device by at least one user of the at least one further user device.
64. A method according to claim 63, wherein the at least one communication session comprises a real-time communication session.
65. A method according to claim 64, wherein the real-time communication session is in accordance with Real-time Communication, RTC.
66. A method according to claim 65, wherein the real-time communication session is in accordance with Web Real-time Communication, WebRTC.
67. A method according to any of claims 63 to 66, wherein the at least one communication session comprises a video call and/or a voice call.
68. A method according to any of claims 63 to 67, wherein the at least one communication session is a peer-to-peer communication session.
69. A method according to any of claims 63 to 68, the method comprising establishing the at least one communication session in response to receiving at least one communication identifier associated with the at least one further user device from at least one data processing entity in the group of data processing entities.
70. A method according to claim 69, the method comprising receiving the at least one communication identifier associated with the at least one further user device from the at least one further user device.
71. A method according to claim 69, the method comprising receiving the at least one communication identifier associated with the at least one further user device from the access control equipment.
72. A method according to any of claims 56 to 71, the method comprising obtaining, for display to the user of the user device, data indicating at least one user device authorised to be used to facilitate authentication relating to the user of the user device, the at least one authorised user device including the at least one further user device.
73. A method according to any of claims 56 to 71, the method comprising obtaining, for display to the user of the user device, data indicating at least one user authorised to facilitate authentication relating to the user of the user device, the at least one authorised user including the user of the at least one further user device.
74. A method according to claim 72 or 73, the method comprising obtaining for display data indicating only those authorised user devices and/or authorised users that are available for communication.
75. A method according to any of claims 56 to 74, wherein the user of the user device is the same as the user of the at least one further user device.
76. A method according to any of claims 56 to 75, the method comprising determining whether establishment of a real-time communication session is allowed between the user device and the at least one further user device based on an identity of the at least one further user device.
77. A method according to claim 76, the method comprising not allowing establishment of the real-time communication session if the user of the user device is the same as the user of the at least one further user device.
78. A method according to any of claims 56 to 77, the method comprising outputting data comprising a one-time passcode for transmission to at least one data processing entity in the group of data processing entities based on receiving user input at the user device.
79. A method according to claim 78, the method comprising outputting the data comprising the one-time passcode for transmission to the access control equipment.
80. A method according to claim 78 or 79, the method comprising outputting the data comprising the one-time passcode in response to receiving data comprising the one-time passcode from the at least one further user device.
81. A user device configured to perform a method according to any of claims 56 to 80.
82. Computer software adapted to perform a method according to any of claims 56 to 80.
83. A computer program product comprising a non-transitory computer- readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerised device to cause the computerised device to perform a method according to any of claims 56 to 80.
84. An authentication system configured to perform a method according to any of claims 1 to 27 and a method according to any of claims 31 to 52.
85. An authentication system configured to perform a method according to any of claims 1 to 27 and a method according to any of claims 56 to 80.
86. An authentication system configured to perform a method according to any of claims 31 to 52 and a method according to any of claims 56 to 80.
87. An authentication system configured to perform a method according to any of claims 1 to 27, a method according to any of claims 31 to 52, and a method according to any of claims 56 to 80.
PCT/GB2017/050748 2016-03-18 2017-03-17 Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control WO2017158376A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1604617.9A GB2551688B (en) 2016-03-18 2016-03-18 Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control
GB1604617.9 2016-03-18

Publications (1)

Publication Number Publication Date
WO2017158376A1 true WO2017158376A1 (en) 2017-09-21

Family

ID=55968528

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2017/050748 WO2017158376A1 (en) 2016-03-18 2017-03-17 Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control

Country Status (2)

Country Link
GB (1) GB2551688B (en)
WO (1) WO2017158376A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022039756A1 (en) * 2020-08-21 2022-02-24 Hewlett-Packard Development Company, L.P. Contextual authorisation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140150071A1 (en) * 2012-11-29 2014-05-29 International Business Machines Corporation Social authentication of users
US20140250516A1 (en) * 2011-06-30 2014-09-04 Dongxuan Gao Method for authenticating identity of handset user
US20140259129A1 (en) * 2013-03-08 2014-09-11 Open Text S.A. System and Method for Collaborative Authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7370351B1 (en) * 2001-03-22 2008-05-06 Novell, Inc. Cross domain authentication and security services using proxies for HTTP access
US20070220252A1 (en) * 2005-06-06 2007-09-20 Sinko Michael J Interactive network access controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140250516A1 (en) * 2011-06-30 2014-09-04 Dongxuan Gao Method for authenticating identity of handset user
US20140150071A1 (en) * 2012-11-29 2014-05-29 International Business Machines Corporation Social authentication of users
US20140259129A1 (en) * 2013-03-08 2014-09-11 Open Text S.A. System and Method for Collaborative Authentication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022039756A1 (en) * 2020-08-21 2022-02-24 Hewlett-Packard Development Company, L.P. Contextual authorisation

Also Published As

Publication number Publication date
GB2551688A (en) 2018-01-03
GB2551688B (en) 2021-12-22
GB201604617D0 (en) 2016-05-04

Similar Documents

Publication Publication Date Title
EP3219049B1 (en) Account recovery protocol
US9979719B2 (en) System and method for converting one-time passcodes to app-based authentication
US20180295137A1 (en) Techniques for dynamic authentication in connection within applications and sessions
CN106164922B (en) Self-organizing one-time pairing of remote devices using online audio fingerprinting
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
US11882226B1 (en) Gesture-extracted passwords for authenticated key exchange
US20150304847A1 (en) Password-less Authentication System, Method and Device
JP2019508972A (en) System and method for password assisted computer login service assisted mobile pairing
NO324315B1 (en) Method and system for secure user authentication at personal data terminal
NO332479B1 (en) Procedure and computer program for verifying one-time password between server and mobile device using multiple channels
JP2016502377A (en) How to provide safety using safety calculations
WO2017063163A1 (en) Apparatus, method and computer program product for authentication
EP3316163A1 (en) Authentication system
US20190311100A1 (en) System and methods for securing security processes with biometric data
CN106059764B (en) Based on the password and fingerprint tripartite's authentication method for terminating key derivation functions
US20180285539A1 (en) Multifactor strong authentication
US20160099919A1 (en) System and method for providing a secure one-time use capsule based personalized and encrypted on-demand communication platform
US11424929B2 (en) Authentication using encrypted biometric information
Kambou et al. A strong authentication method for web/mobile services
Reimair et al. MoCrySIL-Carry your Cryptographic keys in your pocket
WO2017158376A1 (en) Methods, user devices, access control equipments, computer software, computer program products and systems for facilitating authentication or access control
Köhler et al. Assessment of remote biometric authentication systems: another take on the quest to replace passwords
US11665162B2 (en) Method for authenticating a user with an authentication server
US11716331B2 (en) Authentication method, an authentication device and a system comprising the authentication device
CN106664313B (en) Systems or methods for authentication centers

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17718576

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17718576

Country of ref document: EP

Kind code of ref document: A1