WO2018149497A1 - System and method for authentication of a user - Google Patents
System and method for authentication of a user Download PDFInfo
- Publication number
- WO2018149497A1 WO2018149497A1 PCT/EP2017/053506 EP2017053506W WO2018149497A1 WO 2018149497 A1 WO2018149497 A1 WO 2018149497A1 EP 2017053506 W EP2017053506 W EP 2017053506W WO 2018149497 A1 WO2018149497 A1 WO 2018149497A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- computer device
- authentication value
- binary authentication
- authentication
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/535—Tracking the activity of the user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/065—Continuous authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/68—Gesture-dependent or behaviour-dependent
Definitions
- the invention relates to devices for use in computer devices and to devices for authentication of a user of a computer device.
- an average user can typically unlock his mobile telephone (smart phone) at least 80-85 times a day. This does not include the use of a Tablet, Computer, Laptop etc.
- the access is made using various means of authentication varying from digital certificates to user personal finger prints and passwords, all of these consumes time and requires the user to be attentive in providing the correct input for the authentication.
- a computer device for providing access to multiple data services is provided.
- the computer device is configured to upon a request for access to a data service out of the multiple data services, compare a user specific non-binary authentication value of a current user with a predetermined access level value of the data service.
- the computer device is further configured to provide access to the requested data service based on the outcome of the performed comparison between the non-binary authentication value and the predetermined access level value of the data service.
- the computer device is enabled to allow for different levels of authentication to different data services, such as different computer applications or data bases.
- the computer device is configured to generate the user specific non-binary authentication value.
- all of the authentication procedure can be integrated into one single device.
- the computer device is configured to receive the user specific non-binary authentication value from another entity.
- the device is enabled to use a distributed service, such as a cloud service, to provide authentication of a user.
- the user specific non-binary authentication value is based on a set of predefined user behaviors.
- the authentication of a user can be made stronger based on pre-defined user behavior patterns without the need for the user to engage in a specific authentication procedure.
- the computer device is configured to continuously or periodically update the user specific non-binary authentication value.
- the authentication can be more accurate and better reflect a current status of the non-binary authentication value.
- the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated and that the computer device is configured to provide access to more data services the higher the probability of a correct user as indicated by the user specific non-binary authentication value.
- the computer device is configured to provide access to more data services the higher the probability of a correct user as indicated by the user specific non-binary authentication value.
- data services requiring higher level of authentication is successively given access to as the user specific non-binary authentication value becomes stronger and thereby with a higher degree of probability correctly authenticates the user.
- an apparatus for authentication of a user of a computer device is provided. The apparatus is configured to receive data of at least one user specific parameter each representing a user behavior characterizing the user, and to determine a non-binary authentication value based on the received data.
- the apparatus is further configured to output to non-binary authentication value as a user specific non-binary authentication value.
- non-binary authentication value can be generated.
- the authentication value can in some
- the apparatus is configured to receive data for at least two user specific parameters.
- the at least one user specific parameter comprises at least one of: Physical proximity of at least one device, a user-friendly password, one or more biometric parameter(s) and at least one behavioral pattern.
- a plurality of user behaviors is provided that can contribute to authenticate a user.
- the apparatus is configured to dynamically change the non-binary authentication value based on a received additional data representing user behavior.
- the apparatus is configured to time stamp the data representing user behavior and further configured to base the determined non-binary authentication value on the time of the received data representing user behavior.
- the apparatus is configured to decrease the determined non-binary
- the apparatus is configured to set the determined non-binary authentication value to a predetermined value when the computing device is locked.
- the apparatus is configured to decrease the determined non-binary
- the authentication value when receiving new additional data representing user behavior indicating that a wrong user is using the computer device.
- the authentication value is decreased for a current user when data indicating that another user has started to use the device. This in turn reduces the risk that access to a data service is provided to a wrong user.
- the apparatus is configured to increase the determined non-binary authentication value when receiving new additional data representing user behavior indicating that a correct user is using the computer device.
- the authentication value is increased for a current user when data indicating that it is the correct user that uses the computer device. This in turn can make it possible for the user to access additional data services without the need for engaging in a specific authentication procedure.
- the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated.
- an elaborate set of authentication values are provided and the authentication level can be set in accordance with the probability.
- a computer device as set out above can be provided with an apparatus for authentication as set out above.
- the invention also extends to methods for use in the devices as set out above.
- Fig. 1 shows a diagram illustrating a conventional authentication
- FIG. 2 shows a diagram illustrating an authentication procedure in accordance with one exemplary embodiment of the invention
- Fig. 3 depicts system set up for authentication in accordance with a first configuration
- Fig. 4 depicts system set up for authentication in accordance with a second configuration.
- a problem to be solved is to have an easy yet strong and trustworthy automatic authentication means using various factors (weak and strong) to recognize the user and authenticate to authenticate the user. For example, the following problems should preferably be addressed.
- automatic authentication means using various factors (weak and strong) to recognize a user and authenticate the user rather than only authenticate the device it-self.
- the authentication should be able to create strong data access schemes to be able to grant only specified access to a specific user at that particular time based on an authentication criteria being met.
- the system should provide an easy integrity and authenticity safe mechanism to install / extend a security policy for computer
- Fig. 1 schematically shows a conventional authentication procedure.
- a diagram 100 illustrates how a computer device 101 is authenticated and connected to a data service 103, in particular a data service.
- the computer device can typically be a mobile telephone (smart phone), but can equally well be any type of computer device such as a tablet, desktop computer, laptop or a similar device.
- the data service 103 can for example be a data file, a data storage, a server or a computer program/ computer application or a similar service that requires authentication.
- the service 103 can reside inside the device 101 .
- the data service 103 can be camera photos or a calendar or a similar data service.
- Traditional access control typically involves user credentials being added to an access control group or list.
- a mechanism that authenticate a user or a system by recognizing the users based on an intelligent access control is provided.
- the mechanism can be controlled to provide access to data services in an aggregated manner. For example, full access is given in a state with complete authentication and minimal or no access is given when authentication is non-existing or weak.
- access control of a computer device is based on a set of predefined user habits per user.
- An apparatus can be configured to collect user behavioural patterns and further to aggregate authentication based on a plurality of behavioural patterns.
- behavioural patterns matching the correct user acts to increase the likelihood that it is the authorized user that is using the computer device.
- the authentication/authentication level of the user of the device can then be successively be increased.
- Access to data services is provided based on the satisfying patters that increases the authentication of the user of the computer device. For example, access to a data service, such as a computer application or a data base, is restricted to the user qualifying at a pre-determined
- the authentication procedure based on user behavioural patterns is performed in Secure Execution environment (SEE).
- SEE Secure Execution environment
- the SEE can be located on the computer device it-self.
- the SEE can be ARM Trustzone based Trusted Execution Environment (TEE), embedded Security element or secure co-processor
- Fig. 2 a diagram illustrating an authentication procedure in accordance with an embodiment of the invention.
- a computer device (a user) 201 is configured to access a data service 203 via a request 17. The access is provided based on a procedure performed by an apparatus 202 providing access.
- the apparatus 202 can be integrated with the computer device 201 or can be external from the computer device 201 .
- Content is delivered in a response 18.
- a computer performs some kind of initial start procedure.
- the computer device 201 may enter a geographical area or the computer device is switched on.
- the apparatus 202 then associates the current user of the computer device with an initial level of authentication. This can typically be performed by providing a non-binary authentication value.
- the non-binary authentication value can for example correspond to a probability that the user of the device is the correct user of the computer device. For example, this can be expressed as a probability that the user is the correct user.
- the initial non-binary authentication value can provide the user with access to some (or none) data services. In other words, the activation of the computer device (or the presence of the computer device) provides some initial authentication.
- step 22 This is performed in a step 22 where an initial non-binary authentication value is set and in a step 23 where the non- binary authentication value is compared to value required to access a requested data service. Access to a requested data service is then provided (or denied) in a step 24 based on the outcome in step 23.
- the initial authentication level is typically set to a low value that only grants access to a limited, not sensitive data services.
- a response 18 is given based on the current authentication level.
- further confirmation authenticating the user can be received and used to increase the authentication level. This can be performed by receiving new user behaviour patterns and the like. This is performed in a step 25.
- the non-binary authentication value is then updated based on the new
- the updated non-binary authentication value is thereby based on a plurality of input values and can also be based on multiple input parameters.
- Input parameters that can be used to adjust the non-binary authentication value can for example be: ⁇ Physical proximity of devices (my phone, smart watch etc. is close to this place)
- a user friendly password can have no restrictions or at least no restrictions as to any specific combination of different types of characters used, whereas a strong password typically has a restriction that different types of characters needs to be used an/or that the password is of at least some length
- Behavior pattern can be user behaviours that statistically matches with current user behavior. For example, a user may visit website www.cnn.com everyday between 7:00-8:00. After that user is calling to certain people, then user play certain game for next 5 min. User may type keyboard with certain similar speed.
- Location as determined by positioning system, such as GPS
- Measuring user behaviour can be formed using the sensors in the home.
- the apparatus 202 providing access control to a data service can in accordance with some exemplary embodiments be integrated in the computer device used by the user. This is shown in Fig. 3. Further, the data service 203 can reside inside the computer device 201 as is also indicated in Fig. 3.
- the apparatus 202 providing access control to a data service can in accordance with some exemplary embodiment
- the apparatus 202 can then be a stand-alone server or a cloud service.
- the data service 203 can reside inside the computer device 201 as is also indicated in Fig. 4.
- the apparatus thus can be configured to collect data to generate an aggregated confidence level (user authenticity level) information from user inputs defined by multiple factors. Further, an aggregated user confidence level over time can be generated using information from various user inputs (multiple factors, weak and strong)
- a conventional authentication is atomic and binary with only one outcome, user either is or not whom she claims to be. If she is then she can access everything she has been granted.
- the mechanism as described herein generates a non-binary authentication value that is associated with a user of a computer device.
- the aggregated confidence levels formed results in that access privileges can be added is the confidence level is increased (or subtracted if the confidence level is reduced).
- some data services such as financial, private and sensitive information access can still be associated with a strong, specific, factor.
- some data services cannot be accessed using the above mechanisms only. Instead some data services can require a specific authentication protocol (such as the entering of a strong password).
- Each data service can be associated with a particular policy defining the exact authentication level required to access the data service.
- control mechanism as described herein can be used in any computer device that requires authentications and access control. Few example (but not limited to):
- ⁇ To provide levels of data access to a specified data or network level e.g., a person which lower authentication can see only 2 of the 10 files available in the network drive, but a person with higher authentication level who has satisfied both strong and weak authentication factors can see all 10 of 10 files and a person with mid-level authentication access can see only 5 of 10 files etc., For a quick comparison with existing authentication mechanisms, take an example for a smart home that has connections to various equipment in the house and security system.
- the Smart home control is centralized to one local server (or remote) that is able to monitor and track all these connected systems. It is then only necessary to make software changes to this server such that the access control apparatus 202 is part of this server and is able to make authorization and access decisions based on the input it has received from various systems, and access to the data and devices is granted accordingly.
- the access control apparatus 202 is part of this server and is able to make authorization and access decisions based on the input it has received from various systems, and access to the data and devices is granted accordingly.
- There are no hardware changes needed for this purpose (however every new sensor added to the smart home needs to be updated in the intelligent agent program).
- the same idea is applicable to the Gateway concept in the current and upcoming Internet of Things concept, where all the connected devices are controlled by user.
- Collected inputs for Intelligent Agent may come from various sensor devices. These input devices might be implemented as pure Hardware (HW) or combination of HW and Software (SW).
- the mechanism as described herein provides a way to provide access to different users automatically based on defined behavioural patterns. No user database needs to be provided. Further, the security risks associated with a user database by tampering, forge and accidental deletion in the database can be reduced.
- the proposed solution makes it possible for a computing device or an authenticating gateway (smart homes, cars, bio metric servers etc.,) to be able to confidently identify the user that has requested access to the system, and control the access to the data base or accessories or limit the features of a system based on the pre-set patters qualification.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Social Psychology (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a computer device (201 ) an to an access control apparatus (202) for providing access to multiple data services (203), the computer device being configured to upon a request for access to a data service of said multiple data services, compare a user specific non-binary authentication value of a current user with a predetermined access level value of the data service, and to provide access to the requested data service based on the outcome of the performed comparison between the non-binary authentication value and the predetermined access level value of the data service.
Description
System and method for authentication of a user
TECHNICAL FIELD
The invention relates to devices for use in computer devices and to devices for authentication of a user of a computer device.
BACKGROUND
Today, a user authenticate himself many times a day when accessing a computer device, a computer application or a data server/memory. The authentication is made using various traditional and latest authentications means.
For example, an average user can typically unlock his mobile telephone (smart phone) at least 80-85 times a day. This does not include the use of a Tablet, Computer, Laptop etc. The access is made using various means of authentication varying from digital certificates to user personal finger prints and passwords, all of these consumes time and requires the user to be attentive in providing the correct input for the authentication.
Users acquire more and more digital equipment for house and personal use which requires authentication and to ensure that the user accessing the equipment is genuine. There is a constant desire to improve the performance of authentication procedures. Hence, there is a need for an improved procedure for user authentication and for devices supporting such an improved authentication.
SUMMARY It is an object of the present invention to provide improved devices for authentication of a user of a computer device.
In accordance with a first aspect of the invention a computer device for providing access to multiple data services is provided. The computer device is configured to upon a request for access to a data service out of the multiple data services, compare a user specific non-binary authentication value of a current user with a predetermined access level value of the data service. The computer device is further configured to provide access to the requested data service based on the outcome of the performed comparison between the non-binary authentication value and the predetermined access level value of the data service. Hereby, it is achieved that the computer device is enabled to allow for different levels of authentication to different data services, such as different computer applications or data bases. In other words, it will become possible to allow for a low level of authentication for some data services whereas other data services can require a higher level of authentication while using the same authentication mechanism. This will allow for a more user friendly management of the authentication procedure in that the authentication procedure can be made easier for data services determined to require a lower level of authentication.
In accordance with a first implementation of the first aspect, the computer device is configured to generate the user specific non-binary authentication value. Hereby, all of the authentication procedure can be integrated into one single device.
In accordance with a second implementation of the first aspect, the computer device is configured to receive the user specific non-binary authentication value from another entity. Hereby, the device is enabled to use a distributed service, such as a cloud service, to provide authentication of a user.
In accordance with a third implementation of the first aspect, the user specific non-binary authentication value is based on a set of predefined user behaviors. Hereby, the authentication of a user can be made stronger based on pre-defined user behavior patterns without the need for the user to engage in a specific authentication procedure.
In accordance with a fourth implementation of the first aspect, the computer device is configured to continuously or periodically update the user specific non-binary authentication value. Hereby, the authentication can be more accurate and better reflect a current status of the non-binary authentication value.
In accordance with a fifth implementation of the first aspect, the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated and that the computer device is configured to provide access to more data services the higher the probability of a correct user as indicated by the user specific non-binary authentication value. Hereby, it is enabled that data services requiring higher level of authentication is successively given access to as the user specific non-binary authentication value becomes stronger and thereby with a higher degree of probability correctly authenticates the user. In accordance with a second aspect of the invention, an apparatus for authentication of a user of a computer device is provided. The apparatus is configured to receive data of at least one user specific parameter each representing a user behavior characterizing the user, and to determine a non-binary authentication value based on the received data. The apparatus is further configured to output to non-binary authentication value as a user specific non-binary authentication value. Hereby it is achieved that the authentication of a user of a computer device can be given a non-binary authentication value and thereby be given access to a data service having an authentication level matching a current authentication value that is based on user behavior. In other words, a non-binary authentication value can be generated. In particular, the authentication value can in some
implementations be based on only a user behavior without the need for the user to engage in a specific authentication procedure.
In accordance with a first implementation of the second aspect, the apparatus is configured to receive data for at least two user specific parameters. Hereby, a more refined authentication of a user can be achieved that can be only or partly based on user behavior. In accordance with a second implementation of the second aspect, the at least one user specific parameter comprises at least one of: Physical proximity of at least one device, a user-friendly password, one or more biometric parameter(s) and at least one behavioral pattern. Hereby, a plurality of user behaviors is provided that can contribute to authenticate a user.
In accordance with a third implementation of the second aspect, the apparatus is configured to dynamically change the non-binary authentication value based on a received additional data representing user behavior.
In accordance with a fourth implementation of the second aspect, the apparatus is configured to time stamp the data representing user behavior and further configured to base the determined non-binary authentication value on the time of the received data representing user behavior. Hereby an improved authentication of a user can be achieved in that the temporal aspect of a user behavior can be taken into account. In accordance with a fifth implementation of the second aspect, the apparatus is configured to decrease the determined non-binary
authentication value after a pre-determined time period if no new additional data representing user behavior is provided to the apparatus during said predetermined time period. In accordance with a sixth implementation of the second aspect, the apparatus is configured to set the determined non-binary authentication value to a predetermined value when the computing device is locked.
Hereby, an easy resetting of the authentication value is provided.
In accordance with a seventh implementation of the second aspect, the apparatus is configured to decrease the determined non-binary
authentication value when receiving new additional data representing user behavior indicating that a wrong user is using the computer device. Hereby, it is achieved that the authentication value is decreased for a current user when data indicating that another user has started to use the device. This in turn reduces the risk that access to a data service is provided to a wrong user.
In accordance with an eighth implementation of the second aspect, the apparatus is configured to increase the determined non-binary authentication value when receiving new additional data representing user behavior indicating that a correct user is using the computer device. Hereby, it is achieved that the authentication value is increased for a current user when data indicating that it is the correct user that uses the computer device. This in turn can make it possible for the user to access additional data services without the need for engaging in a specific authentication procedure.
In accordance with a ninth implementation of the second aspect, the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated. Hereby, an elaborate set of authentication values are provided and the authentication level can be set in accordance with the probability.
In accordance with a third aspect of the invention a computer device as set out above can be provided with an apparatus for authentication as set out above. The invention also extends to methods for use in the devices as set out above.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will now be described in more detail, by way of example, and with reference to the accompanying drawings, in which:
- Fig. 1 shows a diagram illustrating a conventional authentication
procedure,
- Fig. 2 shows a diagram illustrating an authentication procedure in accordance with one exemplary embodiment of the invention,
- Fig. 3 depicts system set up for authentication in accordance with a first configuration, and
- Fig. 4 depicts system set up for authentication in accordance with a second configuration.
DETAILED DESCRIPTION
The invention will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout the description.
As has been realized, a more automated procedure for authentication would be advantageous. A problem to be solved then is to have an easy yet strong and trustworthy automatic authentication means using various factors (weak and strong) to recognize the user and authenticate to authenticate the user.
For example, the following problems should preferably be addressed.
- It should be possible to have an easy yet strong and trustworthy
automatic authentication means using various factors (weak and strong) to recognize a user and authenticate the user rather than only authenticate the device it-self.
The authentication should be able to create strong data access schemes to be able to grant only specified access to a specific user at that particular time based on an authentication criteria being met.
- The system should provide an easy integrity and authenticity safe mechanism to install / extend a security policy for computer
applications.
- The system should provide easy integrity and authenticity safe
mechanism to install a device specific security policy.
Fig. 1 schematically shows a conventional authentication procedure. In Fig. 1 a diagram 100 illustrates how a computer device 101 is authenticated and connected to a data service 103, in particular a data service. The computer device can typically be a mobile telephone (smart phone), but can equally well be any type of computer device such as a tablet, desktop computer, laptop or a similar device. The data service 103 can for example be a data file, a data storage, a server or a computer program/ computer application or a similar service that requires authentication. In accordance with some embodiments the service 103 can reside inside the device 101 . For example, the data service 103 can be camera photos or a calendar or a similar data service.
Traditional access control typically involves user credentials being added to an access control group or list. To improve security, it is generally required that the user has a strong password (milt character, long and unpredictable). The use of strong passwords is however generally viewed as not being user friendly since the user needs to remember the password. As a consequence, most users choose not to have passwords or use weak password or reuse passwords, thereby compromising the security of the service.
Further, in traditional and existing advanced authentication means, it is only the devices that gets authenticated but typically never the user. This means that a computer device can be used by any other persons such as family members but is also possible to be misused if the device is stolen. Typical user centric authentication like Retinal scan, finger print, heart rate etc., are usually not provided in all the daily usage computer devices. As a result, many computer devices will continue to suffer from the problems listed above.
To solve the above problems, or at least reduce some of them, a mechanism that authenticate a user or a system by recognizing the users based on an intelligent access control is provided. The mechanism can be controlled to provide access to data services in an aggregated manner. For example, full access is given in a state with complete authentication and minimal or no access is given when authentication is non-existing or weak.
In accordance with some exemplary embodiments access control of a computer device is based on a set of predefined user habits per user. An apparatus can be configured to collect user behavioural patterns and further to aggregate authentication based on a plurality of behavioural patterns. In other words, behavioural patterns matching the correct user acts to increase the likelihood that it is the authorized user that is using the computer device. The authentication/authentication level of the user of the device can then be successively be increased. Access to data services is provided based on the satisfying patters that increases the authentication of the user of the computer device.
For example, access to a data service, such as a computer application or a data base, is restricted to the user qualifying at a pre-determined
authentication level. Once the apparatus collecting user patterns has verified that the user is the authorized user at a corresponding level, access is granted to the data service. This can then be granted without the user having to enter any type of specified authentication code.
In accordance with some embodiments the authentication procedure based on user behavioural patterns is performed in Secure Execution environment (SEE). In particular, the SEE can be located on the computer device it-self. For example, the SEE can be ARM Trustzone based Trusted Execution Environment (TEE), embedded Security element or secure co-processor
In Fig. 2 a diagram illustrating an authentication procedure in accordance with an embodiment of the invention. In Fig. 2 a computer device (a user) 201 is configured to access a data service 203 via a request 17. The access is provided based on a procedure performed by an apparatus 202 providing access. The apparatus 202 can be integrated with the computer device 201 or can be external from the computer device 201 . Content is delivered in a response 18.
First, in a step 21 a computer performs some kind of initial start procedure. For example, the computer device 201 may enter a geographical area or the computer device is switched on. The apparatus 202 then associates the current user of the computer device with an initial level of authentication. This can typically be performed by providing a non-binary authentication value. The non-binary authentication value can for example correspond to a probability that the user of the device is the correct user of the computer device. For example, this can be expressed as a probability that the user is the correct user. The initial non-binary authentication value can provide the user with access to some (or none) data services. In other words, the activation of the computer device (or the presence of the computer device) provides some initial authentication. This is performed in a step 22 where an initial non-binary authentication value is set and in a step 23 where the non-
binary authentication value is compared to value required to access a requested data service. Access to a requested data service is then provided (or denied) in a step 24 based on the outcome in step 23.
For example, when a computer device that is registered for use with a set of data services register, some percentage of automatic authentication is initially confirmed and used to access requested data services, e.g. in request 17. However, the initial authentication level is typically set to a low value that only grants access to a limited, not sensitive data services. A response 18 is given based on the current authentication level. However, further confirmation authenticating the user can be received and used to increase the authentication level. This can be performed by receiving new user behaviour patterns and the like. This is performed in a step 25. The non-binary authentication value is then updated based on the new
information in a step 26 and new requests to data services are policed based on the updated non-binary authentication value.
The updated non-binary authentication value is thereby based on a plurality of input values and can also be based on multiple input parameters. Input parameters that can be used to adjust the non-binary authentication value can for example be: · Physical proximity of devices (my phone, smart watch etc. is close to this place)
User friendly passwords (short and simple to break) a user friendly password can have no restrictions or at least no restrictions as to any specific combination of different types of characters used, whereas a strong password typically has a restriction that different types of characters needs to be used an/or that the password is of at least some length
Biometrics
Fingerprint, voice, retinal scan
Behavioural patterns. Behavior pattern can be user behaviours that statistically matches with current user behavior. For example, a user may visit website www.cnn.com everyday between 7:00-8:00. After that user is calling to certain people, then user play certain game for next 5 min. User may type keyboard with certain similar speed.
How user touches input devices like key board or moves mouse.
Internet browsing history
To Whom user has made phone calls, sent short messages, etc.
Location, this user has been in these particular addresses
User is using some particular computer application(s)
Location as determined by positioning system, such as GPS
Measuring user behaviour (sitting in home location, patterns can be formed using the sensors in the home)
Frequency of touching a mobile device screen
Keyboard tying speed
Swiping speed on the screen
Holding the phone in certain angle (using accelerometer)
The apparatus 202 providing access control to a data service can in accordance with some exemplary embodiments be integrated in the computer device used by the user. This is shown in Fig. 3. Further, the data service 203 can reside inside the computer device 201 as is also indicated in Fig. 3.
In another exemplary embodiment, the apparatus 202 providing access control to a data service can in accordance with some exemplary
embodiments be external from the computer device used by the user. This is
shown in Fig. 4. For example, the apparatus 202 can then be a stand-alone server or a cloud service. Further, the data service 203 can reside inside the computer device 201 as is also indicated in Fig. 4.
The apparatus thus can be configured to collect data to generate an aggregated confidence level (user authenticity level) information from user inputs defined by multiple factors. Further, an aggregated user confidence level over time can be generated using information from various user inputs (multiple factors, weak and strong)
Based on the, typically aggregated user authenticity level thus generated access control decisions are made.
A conventional authentication is atomic and binary with only one outcome, user either is or not whom she claims to be. If she is then she can access everything she has been granted.
The mechanism as described herein generates a non-binary authentication value that is associated with a user of a computer device. The aggregated confidence levels formed results in that access privileges can be added is the confidence level is increased (or subtracted if the confidence level is reduced).
In accordance with some embodiments some data services such as financial, private and sensitive information access can still be associated with a strong, specific, factor. In other words, some data services cannot be accessed using the above mechanisms only. Instead some data services can require a specific authentication protocol (such as the entering of a strong password).
Each data service can be associated with a particular policy defining the exact authentication level required to access the data service.
Using the authentication mechanism as described herein where a user will (assuming that it is the correct user) continue to gain higher privileged access to the data services with the set policies without the need to enter a password as and when the authentication confidence is gained (increased).
When there is a need to have strong authentication in very short time (e.g., make payment to buy music or movies) strong factors like passwords or biometric authentication can be used independently of the authentication mechanism described herein. However, for a daily use it is very unlikely that users would need to make payments very often. In any event these types of transactions are typically made much less frequently than other types of accessed data services.
The control mechanism as described herein can be used in any computer device that requires authentications and access control. Few example (but not limited to):
Recognise and provide full access to home accessories to be controlled from a mobile device. Only to a user who has gained full confidence from the system, rest users will only be able to access basic features like access in to home, able to switch on lights etc., · In cars; only those users who gained full access are able to start and drive the car in full capacity, the access control can be made in a way so that if the users child tries to drive the car in his absence the intelligent agent can set a speed limit or not let the car drive for more than certain kilometres and/or inform the original user about the driving of the car by not fully authorized user.
A connected data share environment where the network gateway is connected to users' personal drives, any guest is allowed to join the network (e.g., Wi-Fi) for access, but only those users with aggregated access identified by Intelligent agent can access the hard drive data. · To provide levels of data access to a specified data or network level e.g., a person which lower authentication can see only 2 of the 10 files available in the network drive, but a person with higher authentication level who has satisfied both strong and weak authentication factors can see all 10 of 10 files and a person with mid-level authentication access can see only 5 of 10 files etc.,
For a quick comparison with existing authentication mechanisms, take an example for a smart home that has connections to various equipment in the house and security system. From this perspective as the Smart home control is centralized to one local server (or remote) that is able to monitor and track all these connected systems. It is then only necessary to make software changes to this server such that the access control apparatus 202 is part of this server and is able to make authorization and access decisions based on the input it has received from various systems, and access to the data and devices is granted accordingly. There are no hardware changes needed for this purpose (however every new sensor added to the smart home needs to be updated in the intelligent agent program). The same idea is applicable to the Gateway concept in the current and upcoming Internet of Things concept, where all the connected devices are controlled by user. Collected inputs for Intelligent Agent may come from various sensor devices. These input devices might be implemented as pure Hardware (HW) or combination of HW and Software (SW).
The mechanism as described herein provides a way to provide access to different users automatically based on defined behavioural patterns. No user database needs to be provided. Further, the security risks associated with a user database by tampering, forge and accidental deletion in the database can be reduced.
The proposed solution makes it possible for a computing device or an authenticating gateway (smart homes, cars, bio metric servers etc.,) to be able to confidently identify the user that has requested access to the system, and control the access to the data base or accessories or limit the features of a system based on the pre-set patters qualification.
Claims
1 . A computer device (201 ) for providing access to multiple data services (203), the computer device being configured to: - upon a request for access to a data service of said multiple data services, compare a user specific non-binary authentication value of a current user with a predetermined access level value of the data service, and
- provide access to the requested data service based on the outcome of the performed comparison between the non-binary authentication value and the predetermined access level value of the data service.
2. The computer device (201 ) according to claim 1 , wherein the computer device is configured to generate the user specific non-binary authentication value.
3. The computer device (201 ) according to claim 1 , the computer device is configured to receive the user specific non-binary authentication value from another entity.
4. The computer device (201 ) according to any of claims 1 - 3, wherein the user specific non-binary authentication value is based on a set of predefined user behaviors.
5. The computer device (201 ) according to any of claims 1 - 4, wherein the computer device is configured to continuously or periodically update the user specific non-binary authentication value.
6. The computer device (201 ) according to any of claims 1 - 5, wherein the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated and that the computer device is configured to provide access to more data services the higher the probability of a correct user as indicated by the user specific non-binary authentication value.
7. An apparatus (202) for authentication of a user of a computer device (201 ), configured to: - receive data of at least one user specific parameter each representing a user behavior characterizing the user,
- determine a non-binary authentication value based on the received data, and
- output said non-binary authentication value as a user specific non-binary authentication value.
8. The apparatus (202) according to claim 7, wherein the apparatus is configured to receive data for at least two user specific parameters.
9. The apparatus (202) according to any of claims 7 or 8, wherein said at least one user specific parameter comprises at least one of: Physical proximity of at least one device, a user-friendly password, one or more biometric parameter(s) and at least one behavioral pattern.
10. The apparatus (202) according to any of claims 7 - 9, wherein the apparatus is configured to dynamically change the non-binary authentication value based on a received additional data representing user behavior.
1 1 . The apparatus (202) according to any of claims 7 - 10, wherein the apparatus is configured to time stamp the data representing user behavior and further configured to base the determined non-binary authentication value on the time of the received data representing user behavior.
12. The apparatus (202) according to any of claims 7 - 1 1 , wherein the apparatus is configured to decrease the determined non-binary
authentication value after a pre-determined time period if no new additional data representing user behavior is provided to the apparatus during said pre- determined time period.
13. The apparatus (202) according to any of claims 7 - 12, wherein the apparatus is configured to set the determined non-binary authentication value to a predetermined value when the computing device is locked.
14. The apparatus (202) according to any of claims 7 - 13, wherein the apparatus is configured to decrease the determined non-binary
authentication value when receiving new additional data representing user behavior indicating that a wrong user is using the computer device.
15. The apparatus (202) according to any of claims 7 - 14, wherein the apparatus is configured to increase the determined non-binary authentication value when receiving new additional data representing user behavior indicating that a correct user is using the computer device.
16. The apparatus (202) according to any of claims 7 - 15, wherein the user specific non-binary authentication value corresponds to a probability that a user is correctly authenticated.
17. A computer device (201) according to claim 1 comprising the apparatus according (202) to any of claims 7-16.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2017/053506 WO2018149497A1 (en) | 2017-02-16 | 2017-02-16 | System and method for authentication of a user |
CN201780081624.2A CN110121872A (en) | 2017-02-16 | 2017-02-16 | Subscriber authentication system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2017/053506 WO2018149497A1 (en) | 2017-02-16 | 2017-02-16 | System and method for authentication of a user |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018149497A1 true WO2018149497A1 (en) | 2018-08-23 |
Family
ID=58094411
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2017/053506 WO2018149497A1 (en) | 2017-02-16 | 2017-02-16 | System and method for authentication of a user |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110121872A (en) |
WO (1) | WO2018149497A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115610A1 (en) * | 2008-11-05 | 2010-05-06 | Xerox Corporation | Method and system for providing authentication through aggregate analysis of behavioral and time patterns |
EP2933981A1 (en) * | 2014-04-17 | 2015-10-21 | Comptel OYJ | Method and system of user authentication |
US20160021081A1 (en) * | 2014-07-15 | 2016-01-21 | Verizon Patent And Licensing Inc. | Mobile device user authentication based on user behavior information |
US20160253486A1 (en) * | 2015-02-27 | 2016-09-01 | Plantronics, Inc. | Authentication Server for a Probability-Based User Authentication System and Method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014140426A1 (en) * | 2013-03-13 | 2014-09-18 | Bookit Oy Ajanvarauspalvelu | Multi-factor authentication techniques |
CN103533546B (en) * | 2013-10-29 | 2017-03-22 | 无锡赛思汇智科技有限公司 | Implicit user verification and privacy protection method based on multi-dimensional behavior characteristics |
-
2017
- 2017-02-16 CN CN201780081624.2A patent/CN110121872A/en active Pending
- 2017-02-16 WO PCT/EP2017/053506 patent/WO2018149497A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115610A1 (en) * | 2008-11-05 | 2010-05-06 | Xerox Corporation | Method and system for providing authentication through aggregate analysis of behavioral and time patterns |
EP2933981A1 (en) * | 2014-04-17 | 2015-10-21 | Comptel OYJ | Method and system of user authentication |
US20160021081A1 (en) * | 2014-07-15 | 2016-01-21 | Verizon Patent And Licensing Inc. | Mobile device user authentication based on user behavior information |
US20160253486A1 (en) * | 2015-02-27 | 2016-09-01 | Plantronics, Inc. | Authentication Server for a Probability-Based User Authentication System and Method |
Also Published As
Publication number | Publication date |
---|---|
CN110121872A (en) | 2019-08-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10462120B2 (en) | Authentication system and method | |
CN110463161B (en) | Password state machine for accessing protected resources | |
US10440019B2 (en) | Method, computer program, and system for identifying multiple users based on their behavior | |
US10044761B2 (en) | User authentication based on user characteristic authentication rules | |
US11184353B2 (en) | Trusted status transfer between associated devices | |
JP5727008B2 (en) | Operating system unlocking method and mobile phone | |
US11212283B2 (en) | Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications | |
US10868672B1 (en) | Establishing and verifying identity using biometrics while protecting user privacy | |
US8868921B2 (en) | Methods and systems for authenticating users over networks | |
US11140171B1 (en) | Establishing and verifying identity using action sequences while protecting user privacy | |
US9037849B2 (en) | System and method for managing network access based on a history of a certificate | |
US20170317993A1 (en) | User authentication based on tracked activity | |
US8656473B2 (en) | Linking web identity and access to devices | |
US10110578B1 (en) | Source-inclusive credential verification | |
CN103827811A (en) | Managing basic input/output system (BIOS) access | |
EP2836957A1 (en) | Location-based access control for portable electronic device | |
WO2012120355A1 (en) | User authentication method for accessing an online service | |
Peisert et al. | Principles of authentication | |
CN110869928A (en) | Authentication system and method | |
US20180052987A1 (en) | Server system and method for controlling multiple service systems | |
US20220376902A1 (en) | Resource access control | |
WO2018149497A1 (en) | System and method for authentication of a user | |
TW200828069A (en) | Control module and method of identity recognition | |
KR100786062B1 (en) | Proof and protection method of personal information in public using receiver | |
GB2587191A (en) | Resource access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17706191 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17706191 Country of ref document: EP Kind code of ref document: A1 |