WO2019088909A1 - Identification mobile à l'aide de dispositifs de clients légers - Google Patents

Identification mobile à l'aide de dispositifs de clients légers Download PDF

Info

Publication number
WO2019088909A1
WO2019088909A1 PCT/SE2018/051120 SE2018051120W WO2019088909A1 WO 2019088909 A1 WO2019088909 A1 WO 2019088909A1 SE 2018051120 W SE2018051120 W SE 2018051120W WO 2019088909 A1 WO2019088909 A1 WO 2019088909A1
Authority
WO
WIPO (PCT)
Prior art keywords
thin
server resource
mobile terminal
service terminal
communication
Prior art date
Application number
PCT/SE2018/051120
Other languages
English (en)
Inventor
Joachim Samuelsson
Original Assignee
Crunchfish Proximity Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from SE1751576A external-priority patent/SE542530C2/en
Application filed by Crunchfish Proximity Ab filed Critical Crunchfish Proximity Ab
Priority to US16/760,948 priority Critical patent/US11778473B2/en
Publication of WO2019088909A1 publication Critical patent/WO2019088909A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention generally relates to mobile identification m-identi- fication). More specifically, the invention relates to a communication system, method, mobile computing device, computing device and server computing device for performing mobile identification.
  • Further example situations include sale of restricted goods or services (such as, for instance, alcohol, tobacco, vehicles, pharmaceutical drugs, weapons or ammunition), etc.
  • restricted goods or services such as, for instance, alcohol, tobacco, vehicles, pharmaceutical drugs, weapons or ammunition
  • Yet other example situations include registering loyalty programs at retail merchants, etc., login or registration to use any type of hardware such as computers, machines, vehicles, etc., automated check-in at events, premises, transportation facilities, schools, etc., and controlling access to age-restricted services.
  • the present inventor has identified problems and shortcomings with the prior art.
  • the present inventor has identified both the need for and the benefits of mobile digital identification in IRL scenarios where two human persons (or one person and an autonomous service terminal) are at the same physical location and one of the persons (or the autonomous service terminal) needs to verify the (other) person's identity.
  • a first aspect of the present invention is a communication system comprising a thin-client mobile terminal having a device identity, a thin-client service terminal, and a remote system server resource.
  • the thin-client mobile terminal is configured for receiving from the service terminal a short-range wireless communication signal representing an identification request, and in response communicating with the remote server resource by long-range broadband data communication to report the identification request as well as the device identity of the mobile terminal.
  • the remote system server resource is configured for using the reported device identity of the mobile terminal to retrieve identification information about a human person by accessing a storage, and causing communication of the retrieved identification information to the thin-client service terminal by long-range broadband data communication.
  • a second inventive aspect is a method for performing mobile identification, the method involving:
  • the method for performing mobile identification according to the second inventive aspect may additionally involve any of the functional features defined in this document for the different alternatives and embodiments of the communication system according to the first inventive aspect.
  • a third inventive aspect is a mobile computing device comprising a memory for storing an identity associated with the mobile computing device, a controller, a short-range wireless communication interface, and a long-range broadband
  • the controller is configured for performing the functionality defined for the thin-client mobile terminal in the communication system according to the first inventive aspect, and/or the functionality defined for the thin-client mobile terminal in the method for performing mobile identification according to the second inventive aspect.
  • a fourth inventive aspect is a computing device comprising a controller, a short-range wireless communication interface, and a long-range broadband
  • the controller is configured for performing the functionality defined for the thin-client service terminal in the communication system according to the first inventive aspect, and/or the functionality defined for the thin-client service terminal in the method for performing mobile identification according to the second inventive aspect.
  • a fifth inventive aspect is a server computing device configured for performing the functionality defined for the remote system server resource in the communication system according to the first inventive aspect, and/or the functionality defined for the remote system server resource in the method for performing mobile identification according to the second inventive aspect.
  • the thin-client mobile terminal and thin-client service terminal are "thin clients" in the sense that there is no need for them to communicate directly with each other (except for the short-range wireless communication signal which represents an identification request); instead they communicate with the remote system server resource by long-range broadband data communication. No other limitations are intended by the prefix "thin-client".
  • Fig 1 illustrates an embodiment of a communication system configured for performing mobile identification using thin client devices.
  • Fig 2 illustrates another embodiment of the communication system configured for performing mobile identification using thin client devices.
  • Fig 3 illustrates one such device in the form of a mobile computing device implementing a thin-client mobile terminal.
  • Fig 4 illustrates another such device in the form of a computing device implementing a thin-client service terminal.
  • Fig 5 illustrates an alternative communication system for performing mobile identification using thin client devices.
  • Fig 6 illustrates a method for performing mobile identification.
  • Fig 1 illustrates a communication system 100 generally according to the present invention.
  • the communication system 100 comprises a thin-client mobile terminal MT having a device identity MT ID, a thin-client service terminal ST, and a remote system server resource SS.
  • a user P of the thin-client mobile terminal MT may approach the thin-client service terminal ST at a service point.
  • the service terminal ST may be manually operated by a human person, referred to as operator O in this document.
  • the service terminal ST may operate autonomously without needing a human person to operate it.
  • the service terminal may be stationary (i.e., designed and configured to remain at the service point at the same physical position), as can be seen at 120 in Fig 1.
  • the thin-client service terminal ST may instead be mobile as well. This can be seen at 128 in Fig 1. In such cases, it may be that an operator O of the service terminal ST approaches the user P and the thin-client mobile terminal MT with the service terminal ST, or the other way around like when the service terminal is stationary 120; the service point will hence not be at one and the same physical position but instead be defined as the current location of the mobile service terminal ST 128.
  • the reason for the mobile identification may be that the service terminal ST/its operator O needs to verify the true identity of the user in order to perform some kind of service.
  • the service may, for instance and without limitation, involve:
  • service terminal ST//its operator O needs to verify a property, capability or asset of the user P in order to perform some kind of service.
  • Such service may, for instance and without limitation, involve: • Verification of driver's license, passport, visa, membership, valid ticket possession, library admittance, gym admittance, entrance admittance to protected premises, payment authorization, credit facilities, etc.
  • the service terminal ST has a transmitter function TX for transmitting a short-range wireless communication signal B A which represents an identification request ID REQ.
  • the transmitter function TX may be implemented by short-range wireless communication circuitry comprised in the service terminal ST itself in some embodiments, as is seen at 122 in Fig 1 (also see for instance short-range wireless communication interface 176 in computing device 170 in Fig 4). This will typically also be the case when the service terminal ST is a mobile terminal as seen at 128 in Fig 1.
  • the transmitter function TX may be a separate transmitter device being positioned external to but physically near the service terminal ST, as seen at 124 in Fig 1. "Physically near” may include the transmitter device TX 124 being mounted at ceiling level or floor level. The separate transmitter device TX 124 may be connected to the service terminal ST, as seen at 126 in Fig 1, or it may operate as an autonomous device.
  • the thin-client mobile terminal MT is configured for receiving from the service terminal ST the short-range wireless communication signal BA which represents the identification request ID REQ.
  • the short-range wireless communication signal BA which represents the identification request ID REQ.
  • the thin-client mobile terminal MT ... receiving from the service terminal ST' means receiving the short-range wireless communication signal BA as transmitted by the transmitter function TX of the service terminal ST.
  • the transmitter function TX is separate 124 from the service terminal ST
  • the thin-client mobile terminal MT ... receiving from the service terminal ST' means receiving the short-range wireless communication signal BA from the separate transmitter function TX 124 which is positioned external to but physically near the service terminal ST.
  • the thin-client mobile terminal MT is configured for communicating 102 with the remote server resource SS by long-range broadband data communication to report the identification request ID REQ as well as the device identity MT ID of the mobile terminal MT.
  • the device identity MT ID associated with the mobile terminal MT may generally be any identity sufficient to identify the mobile terminal MT.
  • the device identity MT ID may be a hardware-based device-specific identity such as a MAC address, Bluetooth ID or an EVIEI number. It may alternatively be a firmware- based or software-based device-specific identity. Alternatively, it may be a device- specific identity stored on a data carrier readable by the mobile terminal MT, such as for instance an EVISI number.
  • the remote system server resource SS is configured for using the reported device identity MT ID of the mobile terminal MT to retrieve 103 identification information ID INFO about the human person P by accessing a storage 192.
  • the remote system server resource SS is furthermore configured for causing communication 104 of the retrieved identification information ID INFO to the thin- client service terminal ST by long-range broadband data communication.
  • Another advantage is that it can be implemented without requiring manual interaction from the user P, or at least only limited interaction (for examples of such limited interaction, please refer to the later sections in this document concerning verification control data for the user P).
  • the storage 192 may contain a mapping 194 between device identities and human person identities.
  • the remote system server resource SS may be configured for using the mapping 194 to determine a person identity P ID in the storage 192 which matches the reported device identity MT ID of the mobile terminal MT.
  • the remote system server resource SS may be configured for using the determined person identity P ID to retrieve the identification information ID INFO about the human person P.
  • the storage 192 is associated with the remote server resource SS.
  • the storage 192 furthermore stores a data structure 196 which contains identification information for various human persons, including the identification information ID INFO about the human person P.
  • the remote system server resource SS is configured for retrieving 103 the identification information ID INFO about the human person P from the data structure 196 by using the determined person identity P ID to query the data structure 196 in the storage 192.
  • the remote server resource SS When the identification information ID INFO has been retrieved by the remote server resource SS in this way, the remote server resource SS will communicate 104 the retrieved identification information ID INFO to the thin-client service terminal ST by long-range broadband data communication, as previously described and as seen at 104 in Fig 1.
  • the storage 192 is still associated with the remote server resource SS, but the communication system 100 furthermore comprises one or more additional remote server resources SS', SS".
  • the remote server resource SS is configured for retrieving 105 the identification information ID INFO about the human person P from one of the additional remote server resources SS', SS" using the determined person identity P ID as retrieved from the storage 192.
  • each additional remote server resource SS', SS" may have an associated storage 192' for storing a data structure 196', which contains identification information for various human persons, including the identification information ID INFO about the human person P. Again, this can be seen in Fig 2.
  • data structure 196' in Fig 2 is functionally equivalent to data structure 196 in Fig 1 and can be queried by using the determined person identity P ID.
  • the remote system server resource SS sends a request to the additional remote server resource SS' for retrieving the identification information ID INFO about the human person P from the data structure 196' .
  • the request contains the determined person identity P ID.
  • the additional remote server resource SS' uses the person identity P ID to retrieve the identification information ID INFO about the human person P from the data structure 196', and then responds to the remote system server resource SS at 105b by providing the retrieved identification information ID INFO.
  • the remote server resource SS When the identification information ID INFO has been responded to the remote server resource SS in this way, the remote server resource SS will communicate 104 the retrieved identification information ID INFO to the thin-client service terminal ST by long-range broadband data communication, as previously described and as seen at 104 in Fig 2.
  • the remote server resource SS is configured for requesting 105a the additional remote server resource SS' to retrieve the identification information ID INFO about the human person P, the request including the determined person identity P ID.
  • the additional remote server resource SS' is configured for using the determined person identity P ID to retrieve 103' the identification information ID INFO about the human person P from the data structure 196' associated with the additional remote server resource SS', and responding 105b to the remote system server resource SS by providing the retrieved identification information ID INFO.
  • the remote server resource SS is configured for communicating 104 the retrieved identification information ID INFO to the thin-client service terminal ST by long-range broadband data communication.
  • the additional remote server resource SS' may itself take care of the communication of the retrieved identification information ID INFO to the thin- client service terminal ST. This can be seen at 106 in Fig 2.
  • the remote server resource SS may provide sufficient address information for broadband data communication with the service terminal ST in the request 105a.
  • the remote server resource SS is configured for requesting 105a the additional remote server resource SS' to retrieve the identification information ID INFO about the human person P, the request including the determined person identity P ID.
  • the additional remote server resource SS' is configured for using the determined person identity P ID to retrieve 103' the identification information ID INFO about the human person P from the data structure 196' associated with the additional remote server resource SS', and communicating 106 the retrieved identification information ID INFO to the thin-client service terminal ST by long-range broadband data communication.
  • the identification request ID REQ represented by the short-range wireless communication signal BA from the (transmitter function TX of the) service terminal ST may advantageously contain an identity ST ID associated with the service terminal ST. In some embodiments, it is the identity ST ID per se that constitutes the identification request ID REQ. Additionally or alternatively, the identification request ID REQ may contain data REQ TYPE specifying a type of identification requested.
  • the identity ST ID associated with the service terminal ST may be used by the remote server resource SS to determine sufficient address information about the intended receiver (i.e., the service terminal ST) of the retrieved identification information ID INFO for the broadband data communication 104 or 106.
  • address information may, for instance, comprise an IP address, an URL or an URL.
  • the identification request ID REQ at least contain some data to allow the remote server resource SS (or additional remote server resource SS') to determine sufficient address information for the broadband data communication 104 (or 106) with the intended receiver (i.e., the service terminal ST).
  • the data REQ TYPE specifying the type of identification requested may be used by the remote server resource SS (or additional remote server resource SS') to determine what contents to retrieve and include in the identification information to be communicated at 104 (or 106) to the thin-client service terminal ST.
  • the data REQ TYPE specifying the type of identification requested will allow the remote server resource SS to decide which of the additional remote server resources SS', SS" to retrieve 105, 103' the identification information ID INFO about the human person P from.
  • the identity ST ID associated with the service terminal ST may be used by the remote server resource SS (or additional remote server resource SS') to determine what contents to retrieve and include in the identification information to be communicated at 104 (or 106) to the thin- client service terminal ST.
  • the information may be held by the remote server resource SS or additional remote server resource SS', SS" as a trusted authority, such as a bank or governmental organization.
  • Information verifying a property, capability or asset of the person P such as driver's license information, membership information, valid ticket possession information, library card information, gym card information, entrance access card information, etc.
  • the information may be held by the remote server resource SS or additional remote server resource SS', SS" as a trusted authority, such as a bank or governmental organization, or a private company being the issuer, provider, distributor or administrator of the property, capability or asset of the person P in question.
  • the identification information ID INFO may be delivered to the thin-client service terminal ST in any digital format suitable for its intended use.
  • the intended use may typically involve presenting the identification information ID INFO in a user interface 173 of the thin-client service terminal ST.
  • the user interface 173 may include a presentation device 175 and an input device 177 to this end.
  • the mobile identification functionality of the present invention is based on physical proximity between the mobile terminal MT and the service terminal ST.
  • the communication system 100 is preferably configured such that the mobile terminal MT will only receive 101, or at least only react upon, the short-range wireless communication signal BA from the service terminal ST when the mobile terminal MT is physically near the service terminal ST. This will decrease the risk of false activation of the mobile terminal MT and prevent undesired activation of other signal receiving devices in the neighborhood.
  • One way is for the service terminal ST to use a low transmission power for the short-range wireless communication signal BA, such that it can only be received when the mobile terminal MT is physically very near the service terminal ST.
  • Another way is to configure the mobile terminal MT such that it checks the received signal strength of the short-range wireless communication signal BA and based thereon makes a decision whether or not it is sufficiently near the service terminal ST.
  • This notion may be referred to as ranging.
  • the transmitter function TX of the thin-client service terminal ST is a beacon transmitter device BTD which is included in or implemented by the thin-client service terminal ST itself, or alternatively is connected with or at least located spatially close to the thin-client service terminal ST.
  • the beacon transmitter device BTD is configured for repetitive transmission of a short-range wireless beacon signal BA (also known as a beacon advertisement signal) that implements the short-range wireless communication signal BA which represents the identification request ID REQ.
  • the thin-client mobile terminal MT may be configured for storing, in a memory 152 of the mobile terminal MT, one or more predefined service terminal identities ST ID 1 ... ST ID n. This can be seen in Fig 3.
  • the thin-client mobile terminal MT may also be configured for receiving 101 the short-range wireless communication signal BA which represents the identification request ID REQ by monitoring for short-range wireless beacons signals containing any of the predefined service terminal identities ST ID 1 ... ST ID n.
  • the beacon transmitter device BTD may for instance be compliant with Apple iBeacon. It may be compliant with or based on the Bluetooth Low Energy, BLE, standard, and more particularly on Generic Access Profile, GAP, advertising packets. Accordingly, the short-range wireless beacon signal will be transmitted in a 31 -byte GAP BLE packet. Alternatively, other kinds of short-range wireless beacon
  • beacon transmitter device BTD may implement the beacon transmitter device BTD.
  • the beacon receivers may be in active mode as well as passive mode.
  • passive and active beacon receivers reference is made to the following patent applications by the present applicant, the respective contents of which are incorporated herein by reference in their entirety: SE 1551329-4 "FMPROVED ABILITY TO DETECT PASSIVE BEACON RECEIVER DEVICES IN A SHORT-RANGE WIRELESS BEACON COMMUNICATION SYSTEM", SE 1551516-6 "IMPROVED ABILITY TO INTERACT WITH PASSIVE BEACON RECEIVER DEVICES IN A SHORT-RANGE WIRELESS BEACON COMMUNICATION SYSTEM”, SE 1551557-0 "FMPROVED METHOD OF
  • the mobile terminal MT is a beacon receiver
  • it may advantageously be configured such that its user P may use it for performing mobile identification even when it is in passive mode.
  • a mobile identification app or functionality in the mobile terminal MT may be capable to perform some activity during a certain time window (for instance 10 - 180 seconds) after the detection of the short- range wireless communication signal BA, even when the mobile terminal MT is in passive mode. This means that the identification procedure may be performed very fast and without requiring the user P to even hold the mobile terminal MT in his hands.
  • the passive mode activity may also include detecting an interaction for user verification purposes as described above.
  • the mobile terminal MT will be capable of doing mobile identification also when it is in active mode, still allowing a very fast identification procedure.
  • the short-range wireless communication signal BA which represents the identification request ID REQ and is received by the thin-client mobile terminal MT may be a near-field communication, NFC, signal, a radio frequency identification, RFID, signal, a Bluetooth signal, a wireless LAN signal, or another form of proximity -based, device-to-device radio communication signal, such as an LTE Direct signal.
  • the broadband data communication as referred to in this document involves encrypted/secure IP communication.
  • the broadband data communication referred to in this document for the thin-client service terminal ST may, for instance, be compliant with WCDMA, HSPA, GSM, UTRAN, UMTS, LTE or LTE Advanced, or alternatively wired data communication based, for instance, on TCP/IP.
  • verification control data provided by the user P of the mobile terminal T may be required in order to protect the personal integrity of the user P, and/or in order to enhance the reliability of the verification of the identity of the user P from the perspective of the operator O of the service terminal ST.
  • the verification control data may comprise a passcode entered by the user P, such as a PIN code, password or personal information (such as a social security number or person##), or it may comprise a biometric sample, such as a fingerprint, iris scan, face scan or voice sample, or a combination thereof.
  • the thin-client service terminal ST may have a user interface 173 including a presentation device 175 and an input device 177.
  • a computing device 170 which may implement such a service terminal ST is shown in Fig 4 and described in more detail in a later section of this document.
  • the thin-client service terminal ST may be configured for receiving, by the input device 177, a user input from the user P of the thin-client mobile terminal MT, wherein the user input comprises verification control data VCD.
  • the thin-client service terminal ST may further be configured for communicating the received verification control data VCD to the remote system server resource SS by long-range broadband data communication. This may, for instance, be done in the communication step 102 in Figs 1 and 2, or alternatively as a separate communication step.
  • the remote system server resource SS may be configured for causing verification of the received verification control data VCD, and only when the verification is successful causing communication 104; 106 of the retrieved identification information ID_INFO to the thin-client service terminal ST by long-range broadband data communication.
  • the remote system server resource SS may be configured for causing verification of the received verification control data VCD by using the reported identity MT ID associated with the mobile terminal MT or, alternatively, the determined person identity P ID, to retrieve verification reference data from a storage (such as storage 192), and causing comparison between the received verification control data VCD and the retrieved verification reference data.
  • the comparison may be done by the remote system server resource SS itself, or by requesting a validation service from an external resource.
  • identification information ID_INFO pertaining to the user P (as identified by the device identity MT ID of his mobile terminal MT) will be delivered to the service terminal ST only when there is a match between MT ID and P ID and in addition there is also a match between the verification control data VCD provided by the user P and the verification reference data as retrieved by the remote system server resource SS. From the perspective of the operator O of the service terminal ST, this beneficially means that any identification information ID INFO actually received from the remote system server resource SS should be considered as highly trustworthy.
  • user interaction e.g. user verification
  • the mobile terminal MT may be configured to detect an interaction by the user P and verify that the interaction corresponds to a predefined actuation of the mobile terminal MT.
  • the mobile terminal MT may moreover be configured to proceed with the step of communicating 102 with the remote server resource SS by long-range broadband data communication to report the identification request ID REQ as well as the device identity MT ID of the mobile terminal MT only when it has been verified that the interaction corresponds to the predefined actuation. Otherwise, the mobile terminal MT will not make the communication 102, and no identification information ID_INFO will be retrieved by the remote system server resource SS.
  • the interaction may, for instance but not limited to, be any of the following:
  • a predefined actuation of the mobile terminal MT in the form of entry of verification control data VCD such as entry of a passcode (e.g. PIN code or password) or a biometric sample (e.g. a fingerprint scan, a face scan or an iris scan).
  • a passcode e.g. PIN code or password
  • a biometric sample e.g. a fingerprint scan, a face scan or an iris scan
  • the mobile terminal MT may be configured, after having received 101 the short-range wireless communication signal BA, to receive an entry from the user P of the thin-client mobile terminal MT, wherein the entry comprises verification control data VCD, and communicate the received verification control data VCD to the remote system server resource SS by long-range broadband data
  • the remote system server resource SS may be configured to cause verification of the received verification control data VCD, and cause communication 104; 106 of the retrieved identification information ID_INFO to the thin-client service terminal ST by long-range broadband data communication only when the verification is successful.
  • the remote system server resource SS may be configured for causing verification of the received verification control data VCD by using the reported identity MT ID associated with the mobile terminal MT or, alternatively, the determined person identity P ID, to retrieve verification reference data from a storage (such as storage 192), and causing comparison between the received verification control data VCD and the retrieved verification reference data.
  • the comparison may be done by the remote system server resource SS itself, or by requesting a validation service from an external resource.
  • User verification at the mobile terminal MT side may be particularly beneficial for embodiments where the short-range wireless communication signal BA is a short- range wireless beacon signal transmitted by a beacon transmitter device BTD, as previously described above.
  • a method for performing mobile identification will now be described with reference to Fig 6.
  • a first step 310 involves receiving by a thin-client mobile terminal MT from a thin-client service terminal ST a short-range wireless communication signal BA representing an identification request ID REQ. This corresponds to 101 in Figs 1 and 2.
  • a second step 320 in response involves communicating with a remote server resource SS by long-range broadband data communication to report the identification request ID REQ as well as a device identity MT ID of the mobile terminal MT. This corresponds to 102 in Figs 1 and 2.
  • a third step 330 involves retrieving identification information ID INFO about a human person P by accessing a storage 192, 192' using the reported device identity MT ID of the mobile terminal MT. This corresponds to 103; 105; 103' in Figs 1 and 2.
  • a fourth step 340 involves causing communication of the retrieved
  • identification information ID INFO to the thin-client service terminal ST by long-range broadband data communication. This corresponds to 104, 106 in Figs 1 and 2.
  • the method for performing mobile identification in Fig 6 may additionally involve any of the functional features defined above for the different alternatives and embodiments of the communication system 100 according to Fig 1 and/or Fig 2.
  • Fig 3 illustrates a mobile computing device 150 which may implement the thin- client mobile terminal MT as described herein.
  • the mobile computing device 150 comprises a memory 152 for storing the identity MT ID associated with the mobile computing device MT.
  • the mobile computing device 150 also comprises a controller 154, a short-range wireless communication interface 156, and a long-range broadband communication interface 158.
  • the controller 154 is configured for performing the functionality defined for the thin-client mobile terminal MT in the communication system 100 as described herein, and/or the functionality defined for the thin-client mobile terminal MT in the method for performing mobile identification according to Fig 6.
  • the mobile computing device 150 illustrated in Figure 3 may, for instance, be a mobile phone, tablet computer, personal digital assistant, smart glasses, smart watch or smart bracelet.
  • the controller 154 may be a processing unit in the form of, for instance, one or more microcontrollers, CPUs and/or DSPs, being programmed to perform its functionality as described in this document by the processing unit executing program instructions of a computer program.
  • the mobile computing device 150 may have computer program code 153a for an m-identification app, or similar program, stored in the memory 152 and executable by the controller 154 to perform the functionality for the thin-client mobile terminal MT as defined in this document.
  • the controller 154 may be implemented as an FPGA, ASIC, etc.
  • the mobile computing device 150 may comprise a user interface including a presentation device and an input device, much like the user interface 173 with its presentation device 175 and input device 177 of the computing device 170 in Fig 4.
  • Fig 4 illustrates a computing device 170 which may implement the thin-client service terminal ST as described herein.
  • the computing device 170 comprises a controller 174, a short-range wireless communication interface 176, and a long-range broadband communication interface 178.
  • the controller 174 is configured for performing the functionality defined for the thin-client service terminal ST in the communication system 100 as described herein, and/or the functionality defined for the thin-client service terminal ST in the method for performing mobile identification according to Fig 6.
  • the computing device 170 illustrated in Figure 4 may, for instance, be a tablet computer, laptop computer, mobile phone, desktop computer, personal digital assistant, smart glasses, smart watch, smart bracelet, service terminal apparatus, machine or vehicle.
  • the controller 174 may be a processing unit in the form of, for instance, one or more CPUs and/or DSPs, being programmed to perform its functionality as described in this document by the processing unit executing program instructions of a computer program.
  • the computing device 170 may have computer program code 173a for an m-identification app, or similar program, stored in the memory 172 and executable by the controller 174 to perform the functionality for the thin-client service terminal ST as defined in this document.
  • the controller 174 may be implemented as an FPGA, ASIC, etc.
  • a server computing device 190 may implement the remote system server resource SS as described herein and may hence be configured for performing the functionality defined for the remote system server resource SS in the communication system 100 as described herein, and/or the functionality defined for the thin remote system server resource SS in the method for performing mobile
  • the server computing device 190 may, for instance, be a server computer, a cluster of such computer devices, or a cloud computing resource or service. It has a processing unit in the form of, for instance, one or more CPUs and/or DSPs, and is programmed to perform its functionality as described in this document by the processing unit executing program instructions of a computer program.
  • the storage 192 may be a database included in or external to and operatively accessible to the server computing device 190.
  • Figure 5 illustrates an alternative communication system 100' configured for performing mobile identification using thin client devices.
  • Devices MT, ST and remote server resource SS may be the same or substantially the same as has been described above for Figures 1-4. The difference is that the retrieved identification information ID INFO is communicated (by long-range broadband data communication) to the thin- client mobile terminal MT instead of the thin-client service terminal ST by the remote server resource SS (or the additional remote server resource SS', SS").
  • the retrieved identification information ID INFO may be presented in a user interface of the mobile device MT, such as for instance on a display screen thereof.
  • the user P of the thin-client mobile terminal MT may show the presented contents of the retrieved identification
  • the alternative communication system 100' comprises a thin-client mobile terminal MT having a device identity MT ID, a thin-client service terminal ST, and a remote system server resource SS.
  • the thin-client mobile terminal MT is configured for receiving 101 from the service terminal ST a short-range wireless communication signal BA representing an identification request ID REQ, and in response communicating 102 with the remote server resource SS by long-range broadband data communication to report the identification request ID REQ as well as the device identity MT ID of the mobile terminal MT.
  • the remote system server resource SS is configured for using the reported device identity MT ID of the mobile terminal MT to retrieve 103 identification information ID INFO about a human person P by accessing a storage 192, and causing communication 104 of the retrieved identification information ID INFO to the thin-client mobile terminal MT by long- range broadband data communication.
  • the alternative communication system 100' in Fig 5 may have any or all of the features of the dependent communication system claims as filed and attached to this description.
  • the alternative communication system 100' in Fig 5 may have corresponding additional alternative inventive aspects in the form of a method, a mobile computing device (cf 150) , a computing device (cf 170) and a server computing device (cf 190), as for the communication system 100 previously described.
  • a corresponding alternative method for the alternative communication system 100' in Fig 5 is a method for performing mobile identification according to which a first step involves receiving by a thin-client mobile terminal MT from a thin-client service terminal ST a short-range wireless communication signal BA representing an identification request ID REQ.
  • a first step involves receiving by a thin-client mobile terminal MT from a thin-client service terminal ST a short-range wireless communication signal BA representing an identification request ID REQ.
  • a short-range wireless communication signal BA representing an identification request ID REQ.
  • a second step of the corresponding alternative method in response involves communicating with a remote server resource SS by long-range broadband data communication to report the identification request ID REQ as well as a device identity MT ID of the mobile terminal MT.
  • This corresponds to 102 in Figs 1, 2 and 5, and is identical to step 320 in Fig 6.
  • a third step of the corresponding alternative method involves retrieving identification information ID INFO about a human person P by accessing a storage 192 using the reported device identity MT ID of the mobile terminal MT. This corresponds to 103 in Figs 1, 2 and 5, and is identical to step 330 in Fig 6.
  • a fourth step of the corresponding alternative method involves causing communication of the retrieved identification information ID INFO to the thin-client mobile terminal MT by long-range broadband data communication.
  • the fourth step of the corresponding alternative method corresponds to 104/106 in Figs 1, 2 and 5 and to step 340 in Fig 6, however with the difference that it causes communication of the retrieved identification information ID INFO not to the service terminal ST but to the thin-client mobile terminal MT.
  • the method for performing mobile identification in Fig 6 may additionally involve any of the functional features defined above for the different alternatives and embodiments of the communication system 100 according to Fig 1 and/or Fig 2.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un système de communications (100) comprenant un terminal mobile (MT) de client léger ayant une identité de dispositif (MT_ID), un terminal de service (ST) de client léger, et une ressource de serveur de système à distance (SS). Le terminal mobile (MT) de client léger est configuré pour recevoir (101) du terminal de service (ST) un signal de communication sans fil à courte portée (BA) représentant une demande d'identification (ID_REQ), et en réponse, pour communiquer (102) avec la ressource de serveur à distance (SS) par le biais d'une transmission de données à large bande à longue portée, afin de notifier la demande d'identification (ID_REQ) ainsi que l'identité de dispositif (MT_ID) du terminal mobile (MT). La ressource de serveur de système à distance (SS) est configurée pour utiliser l'identité de dispositif (MT_ID) du terminal mobile (MT) notifiée afin de récupérer (103, 105, 103') des informations d'identification (ID_INFO) concernant une personne humaine (P) par accès à une mémoire (192, 192'), et pour provoquer une transmission (104, 106) des informations d'identification (ID_INFO) récupérées au terminal de service (ST) de client léger par le biais d'une transmission de données à large bande à longue portée.
PCT/SE2018/051120 2017-11-02 2018-11-02 Identification mobile à l'aide de dispositifs de clients légers WO2019088909A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/760,948 US11778473B2 (en) 2017-11-02 2018-11-02 Mobile identification using thin client devices

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SE1751363-1 2017-11-02
SE1751363 2017-11-02
SE1751576-8 2017-12-19
SE1751576A SE542530C2 (en) 2017-11-02 2017-12-19 Mobile identification using thin client devices

Publications (1)

Publication Number Publication Date
WO2019088909A1 true WO2019088909A1 (fr) 2019-05-09

Family

ID=66332163

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2018/051120 WO2019088909A1 (fr) 2017-11-02 2018-11-02 Identification mobile à l'aide de dispositifs de clients légers

Country Status (1)

Country Link
WO (1) WO2019088909A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110197267A1 (en) * 2010-02-05 2011-08-11 Vivianne Gravel Secure authentication system and method
WO2015036957A1 (fr) * 2013-09-13 2015-03-19 Toro Development Limited Systèmes et procédés permettant d'assurer une identification numérique sécurisée
GB2519894A (en) * 2010-11-25 2015-05-06 Matthew Deacon Handling encoded information
US20170105089A1 (en) * 2015-10-10 2017-04-13 International Business Machines Corporation Non-intrusive proximity based advertising and message delivery

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110197267A1 (en) * 2010-02-05 2011-08-11 Vivianne Gravel Secure authentication system and method
GB2519894A (en) * 2010-11-25 2015-05-06 Matthew Deacon Handling encoded information
WO2015036957A1 (fr) * 2013-09-13 2015-03-19 Toro Development Limited Systèmes et procédés permettant d'assurer une identification numérique sécurisée
US20170105089A1 (en) * 2015-10-10 2017-04-13 International Business Machines Corporation Non-intrusive proximity based advertising and message delivery

Similar Documents

Publication Publication Date Title
US11438169B2 (en) Time-bound secure access
US11570623B2 (en) Secure communication platform
CN109074693B (zh) 用于访问控制系统的虚拟面板
CN110073387A (zh) 证实通信设备与用户之间的关联
TW201528028A (zh) 身份驗證之裝置和方法
US8917939B2 (en) Verifying vendor identification and organization affiliation of an individual arriving at a threshold location
CN104915829A (zh) 基于nfc技术的应用交互方法及装置
US11921836B2 (en) Systems for enabling tokenized wearable devices
US9705861B2 (en) Method of authorizing a person, an authorizing architecture and a computer program product
US11778473B2 (en) Mobile identification using thin client devices
KR20070029537A (ko) 무선단말기와 연동한 개인별고유코드를 활용한인증시스템과 그 방법
US11601816B2 (en) Permission-based system and network for access control using mobile identification credential including mobile passport
US11599872B2 (en) System and network for access control to real property using mobile identification credential
JP7151944B1 (ja) 認証端末、システム、認証端末の制御方法及びプログラム
WO2019088909A1 (fr) Identification mobile à l'aide de dispositifs de clients légers
US20150074008A1 (en) Secure identification system and method
WO2022130636A1 (fr) Système de réception de visiteur, dispositif de traitement d'informations, procédé de traitement d'informations et programme
WO2012178186A1 (fr) Système et procédé d'identification et d'authentification
US20140207536A1 (en) Electronic polling device
US11711699B2 (en) Permission-based system and network for access control using mobile identification credential
US11863994B2 (en) System and network for access control using mobile identification credential for sign-on authentication
CA3000413C (fr) Systemes d'activation de dispositifs portables a jetons
US20230092733A1 (en) Method and System for Payment Device-Based Access
JP2018007196A (ja) 認証システム、認証用デバイス、認証方法、携帯端末用プログラム、認証用デバイス用プログラム、および認証サーバ用プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18874664

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18874664

Country of ref document: EP

Kind code of ref document: A1