WO2020098941A1 - Automatic digital identification system integrated between consumer devices and backend services - Google Patents

Automatic digital identification system integrated between consumer devices and backend services Download PDF

Info

Publication number
WO2020098941A1
WO2020098941A1 PCT/EP2018/081376 EP2018081376W WO2020098941A1 WO 2020098941 A1 WO2020098941 A1 WO 2020098941A1 EP 2018081376 W EP2018081376 W EP 2018081376W WO 2020098941 A1 WO2020098941 A1 WO 2020098941A1
Authority
WO
WIPO (PCT)
Prior art keywords
client device
service provider
access
authentication
service
Prior art date
Application number
PCT/EP2018/081376
Other languages
French (fr)
Other versions
WO2020098941A8 (en
Inventor
Igor SHAFRAN
Itamar OFEK
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2018/081376 priority Critical patent/WO2020098941A1/en
Priority to EP18803969.7A priority patent/EP3861795A1/en
Priority to CN201880099377.3A priority patent/CN112997537B/en
Publication of WO2020098941A1 publication Critical patent/WO2020098941A1/en
Publication of WO2020098941A8 publication Critical patent/WO2020098941A8/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present invention in some embodiments thereof, relates to digital identification management and, more specifically, but not exclusively, to an automatic digital identification management system supporting integration between consumer devices and backend services.
  • a trust service is defined as an electronic service that entails one of three possible actions. First it may concern the creation, the verification or the validation of electronic signatures, as well as time stamps or seals, electronically registered delivery services and certifications that are required with these services. The second action entails the creation, the verification as well as the validation of certificates that are used to authenticate websites. The third action is the preservation of these electronic signatures, the seals or the related certificates.
  • a trust service provider is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories.
  • Trust service providers are qualified certificate authorities required, for example, in the European Union and in Switzerland in the context of regulated electronic signing procedures.
  • the trust service provider has the responsibility to assure the integrity of electronic identification for signatories and services through strong mechanisms for authentication, electronic signatures and digital certificates.
  • Electronic Identification Digital Authentication Services is a European regulation that defines the standards for how trust service providers are to perform their services of authentication and non-repudiation.
  • the regulation provides guidance to EU member states on how trust service providers shall be regulated and recognized.
  • a system for managing secure access to backend services of different service providers comprising: at least one processor adapted to execute a code for: managing an access to a backend services for each of a plurality of different service providers, by: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises: one or more access rules, and a unique identifier ,UID, on at least one client device; in response to each of the plurality of registration requests: issuing a digital certificate for the at least one client device;
  • each authentication request comprises an indication of the respective digital certificate; in response to each of the plurality of authentication requests: performing an authentication analysis for the respective
  • a method for managing secure access to backend services of different service providers comprising: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises: one or more access rules, and a unique identifier, UID, on at least one client device; in response to each of the plurality of registration requests: issuing a digital certificate for the at least one client device; registering the one or more access rules in association with the UID; and sending the digital certificate to the at least one client device; receiving, from the respective service provider code, a plurality of authentication requests, each authentication request comprises an indication of the respective digital certificate; in response to each of the plurality of authentication requests: performing an authentication analysis for the respective authentication request based on the received indication and the respective one or more access rules; and sending the outcome of the authentication analysis to the respective service provider code so as to allow the respective service provider to determine access permission of at least one respective client device to a respective backend
  • the one or more access rules determine access to the plurality of backend services according to predetermined spatial locations and/or predetermined time intervals.
  • the backend service is a wireless networking service.
  • the client device is used by a client and/or vehicle.
  • the service provider controls access to an enclosure.
  • the client device is used by a person and/or vehicle requesting access to the enclosure.
  • the backend service comprises accessing the enclosure by the person and/or vehicle.
  • first and second aspects or the first, second, third, fourth, fifth, sixth, seventh or eighth implementations of the first and second aspects, in a ninth possible implementation of the first and second aspects of the present invention, optionally, wherein the person and/or vehicle are authenticated by the service provider based on the respective UID and one or more access rules.
  • FIG. 1 is an exemplary layout of the various components of an automatic digital identification management system, according to some embodiments of the present invention
  • FIG. 2 is an exemplary dataflow of a process of registration and certification of a client device by a service provider code and an identity management code, according to some embodiments of the present invention
  • FIG. 3 is an exemplary dataflow of a process of authenticating at least one client device for a purpose of connecting to at least one backend service, according to some embodiments of the present invention
  • FIG. 4 is an exemplary dataflow for a registration and authentication of a client device by an SP and the IM system, according to some embodiments of the present invention.
  • FIG. 5 is an exemplary dataflow for a registration and authentication of a client device and a vehicle by an SP and the IM system, according to some embodiments of the present invention.
  • the present invention in some embodiments thereof, relates to automatic digital identification management and, more specifically, but not exclusively, to an automatic digital identification management system supporting integration between consumer devices and backend services.
  • digital identification systems hereby also known as‘digital authentication systems’
  • clients and/or consumers are authenticated in order to bind a client/consumer device to at least one backend service according to an access rule.
  • a service provider such as an airline may authenticate pre-registered passengers to access a backend service comprising a wireless network installed at a reception area at an airport terminal, wherein the access rule may be a time period until flight boarding.
  • an identity management (IM) code receives, via a computer network, a plurality of registration requests, for accessing a plurality of backend services of a respective service provider (SP), from an SP code of the respective SP.
  • SP service provider
  • each registration request comprises one or more access rules, and a unique identifier (UID) on at least one client device.
  • the IM code issues a digital certificate (for example, an x.509 digital certificate) for each respective client device, which may be facilitated by a third party, such as a trusted service.
  • the IM code registers the one or more respective access rules with the respective UID, optionally in a storage medium, local and/or cloud based, and sends the digital certificate to one or more respective client device codes, wherein the respective client device codes install the digital certificate on one or more respective client devices and configure access to one or more of the plurality of backend services.
  • the IM code may receive via the computer network, a plurality of authentication requests, each request sent from a respective SP code from a respective SP, comprising an indication of a respective digital certificate.
  • the IM code For each of the plurality of received authentication requests, the IM code performs an authentication analysis based on the received indication and respective one or more access rules associated with a respective digital certificate. An outcome of each authentication analysis is sent to a respective SP code, which determines access permission of at least one respective client device to a respective backend service.
  • the existing solutions require client interaction in order to achieve backend service onboarding, usually consisting one or more of: typing a password, accessing a portal, applying near field communication (NFC) tagging or quick response (QR) codes for configuration, or using pre-installed digital certificates.
  • client device authentication using pre-installed digital certificates does not require active client interaction
  • existing solutions only support enterprise devices, for example binding organizational leased devices by extensible authentication protocol-transport layer scheme (EAP-TFS) over a local area network (FAN).
  • EAP-TFS extensible authentication protocol-transport layer scheme
  • FAN local area network
  • the present invention may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • the computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.
  • the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • a network for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
  • FPGA field-programmable gate arrays
  • PLA programmable logic arrays
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical fimction(s).
  • the functions noted in the block may occur out of the order noted in the figures.
  • two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • FIG. 1 is a depiction of system components in a according to some embodiments of the present invention.
  • the system is used for managing secure access to backend services of different service providers, unrestricted by types of service providers or backend services.
  • the system may be used by a hotel which grants automatic wireless connectivity to registered clients within their booking period, and/or the hotel may allow access to free parking or any other services according to a plurality of access rules such as booking period and/or VIP access for valued clients.
  • the IM system 100 includes an IM I/O interface 102, an IM storage 104, and one or more IM processor(s) 106.
  • the IM I/O interface 102 receives as inputs registration requests, digital certificate and authentication requests for client devices from SP’s 108, and outputs digital certificates to respective client device(s) 116, and client device authentication verifications to SP code of respective SP’s.
  • the IM storage 104 stores client certificate requests and respective access rule(s), SP’s 108 registration details, and IM code which comprises instructions for managing access to a plurality of backend services of a plurality of service providers.
  • the one or more IM processor(s) 106 is/are adapted to execute the IM code located in the IM storage 104.
  • the one or more SP(s) 108 each have an SP I/O interface 110, an SP storage 112, and one or more SP processor(s) 114.
  • the SP I/O interface 110 outputs SP registration requests to the IM system 100, client device 116 digital certificate issue requests, client device authentication requests, added value service related updates to client device(s), and receives as inputs client devices authentication analysis verifications from the IM system.
  • the SP storage 112 stores client registration details, client authentication verifications, and code instructions for SP code which comprises instructions for managing client device access to a plurality of backend services.
  • the one or more SP processor(s) 114 is/are adapted to execute the SP code located in the SP storage 112.
  • the one or more client device(s) 116 each have a client device I/O interface 118, a client device storage 120, and one or more client device processor(s) 122.
  • the client device I/O interface 118 receives as inputs client registration data from clients, client digital certificates from the IM code, and service related updates from the SP code.
  • the client device storage 120 is allocated on each client device by a respective client device, and stores a respective digital certificate for each client device, backend services configuration values, and added value service updates.
  • the client device storage also stores client device code, which comprises instructions for receiving and installing digital certificate from the IM system, and for configuring backend services of respective SP’s.
  • the one or more client device processor(s) 122 is/are adapted to execute the client device code located in the client device storage 120.
  • the various system components may be implemented as software and/or firmware.
  • FIG. 2 is an exemplary dataflow of a process of registration and digital certification of a client device, according to some embodiments of the present invention.
  • client device for instance a mobile device and/or a laptop operated by a client may request access to a service by means of a point of sale (POS) and/or registration as shown in 202.
  • POS point of sale
  • the service may be booking a hotel room, which is accessed by a website registered to a hotel or a third party.
  • the respective SP code receives a registration request from the client device(s).
  • the SP code sends a digital certificate request via the computer network to the IM system 100, according to a client UID and respective access rule(s).
  • a client UID may be based on the client device phone number
  • the access rule(s) may be derived by the service provider module according to the registration, for example, an access rule may be a time frame corresponding to a respective room booking period.
  • the IM system receives the certificate across the computer network, and as shown in 210, the IM system processes the request according to the IM codes and issues a digital certificate according to the client UID and respective access rule(s).
  • the digital certificate may comprise, for example, an x.509 certificate, which may include a respective time period for validity of the certificate.
  • the IM system sends the digital certificate to the client device(s) via the computer network, which install(s) the digital certificate and configures the requested backend service(s) according to instructions in the client device code.
  • FIG. 3 is an exemplary dataflow of a process of authenticating at least one client device for a purpose of connecting to at least one backend service, according to some embodiments of the present invention.
  • a client may attempt to access a respective backend service(s). For example, a client may enter a location with a client device which attempts to automatically connect to a backend service such as a wireless network.
  • one or more client device(s) attempts to access a respective backend service of a respective SP.
  • a respective digital certificate pre-installed on the client device(s) following registration as depicted in FIG. 2 may be sent automatically by the client device(s), as part of an authentication process in accessing the respective backend service(s).
  • a respective SP receives the digital certificate, as a credential to be authenticated.
  • the SP code executed on the respective SP sends the digital certificate as an authentication request to the IM system, as shown in 304.
  • the IM system code executed on the IM system processor(s) performs a respective authentication analysis for the received authentication request, according to the digital certificate and respective access rule(s).
  • a client certificate may contain a first time period beyond a scope of a second time period as defined by a respective access rule associated to a respective UID, and in that case an authentication analysis performed by the IM system may return an access denial.
  • results of the authentication analysis are sent by the IM system via the computer network to a respective SP, which enables automatic access of the respective client device(s) to registered backend service(s).
  • the SP code may send onboard client device(s) occasional updates. For example, a guest in a resort may receive updates via a wireless network to his/her mobile phone regarding dining times, or
  • FIG. 4 is an exemplary dataflow for a registration and authentication of a client device by an SP and the IM system, according to some embodiments of the present invention.
  • the SP may be a hotel computer connected to the IM system via a computer network
  • the client device may be a mobile phone through which the client makes a hotel booking via a hotel website.
  • four components are included in the example, a client device, a point of sale (POS)/registration, an SP supporting a backend service such as a wireless network, and the IM system respectively.
  • POS point of sale
  • the hotel computer registers with the IM system using a computer network such as the World Wide Web (WWW), and installs a computer program (app) which includes the SP code.
  • a client operating a client device 400 such as a mobile phone
  • books a service from the hotel computer 404 for example, a client books a room for a hotel via a website (a POS for the hotel) 402.
  • the website 402 sends the booking to the app installed on the hotel computer 404.
  • the app sends a digital certification request to the IM system according to the clients booking. (For example a 24 hour period).
  • the IM system sends a digital certificate directly back to the client device, for example, by using the client UID, which may be a phone number.
  • the client device code installs the received digital certificate and configures wireless connectivity for the hotel wireless network.
  • the client may arrive at the hotel on the day of booking, and the client device(s) attempt to access the hotels wireless network.
  • the app on the hotels computer delegates authentication of the client device(s) to the IM system.
  • the IM system performs an authentication analysis according to records on the IM system storage and sends an authentication result, as shown in 424, to the app on the hotel computer. If the authentication result verifies the client device(s), then the client device(s) automatically connect to the hotels wireless network.
  • the hotel computer may send additional updates, as shown in 426, to the client device(s), such as personalized messages like dinner times changes, special offers, and messages left at reception for the respective client, which may improve overall user experience.
  • FIG. 5 is an exemplary dataflow for a registration and authentication of a client device and a vehicle, according to some embodiments of the present invention.
  • FIG. 5 may describe registration and authentication of a utility vehicle and driver, which attempt to access a gated community for performing a service, such as garbage removal.
  • a utility vehicle and driver which attempt to access a gated community for performing a service, such as garbage removal.
  • FIG. 5 may describe registration and authentication of a utility vehicle and driver, which attempt to access a gated community for performing a service, such as garbage removal.
  • a utility vehicle and driver which attempt to access a gated community for performing a service, such as garbage removal.
  • FIG. 5 may describe registration and authentication of a utility vehicle and driver, which attempt to access a gated community for performing a service, such as garbage removal.
  • 500 502, 504, 506, four components are included in the example, a client device and truck, a community administration office, an SP supporting a backend service such as community computer controlling a gate to the gate
  • the community administration office 502 registers a driver client device, such as a mobile phone/tablet, according to a UID, and a vehicle.
  • a driver client device such as a mobile phone/tablet
  • the community administration office requests a digital certificate for a respective driver device and vehicle, which is then sent to the respective driver device and vehicle 500 for installation, as shown in 514 and 516.
  • the respective driver and vehicle may arrive at the gated community to perform, for example, a garbage collection service.
  • the driver device may be detected by a proximity sensor, as shown in 520.
  • the driver device and vehicle are authenticated by the community computer/gate 504 by delegating authentication to the IM system.
  • the IM system performs an authentication analysis for the respective driver device and vehicle, and when the authentication analysis is valid, the community computer may grant automatic access to the driver device and vehicle to the gated community to perform the respective service.
  • the example depicted in FIG. 5 may improve security for gated communities, reduce service costs, and provide a seamless experience for service providing drivers.
  • composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
  • a compound or “at least one compound” may include a plurality of compounds, including mixtures thereof.

Abstract

A system for managing secure access to backend services of different service providers for: managing access to backend services for each of a plurality of different service providers, by: receiving, from a service provider code of a respective service 5 provider, registration requests for accessing backend services of the service provider, each registration request comprises: one or more access rules, and a unique identifier, UID, on at least one client device; in response to each of the plurality of registration requests: issuing a digital certificate for each client device; registering the access rules; and sending the digital certificate to respective client devices; receiving a plurality of authentication 10 requests; in response to each of the plurality of authentication requests: performing an authentication analysis for the respective authentication request; and sending the outcome of the authentication analysis to the respective service provider code.

Description

AUTOMATIC DIGITAL IDENTIFICATION SYSTEM INTEGRATED BETWEEN CONSUMER DEVICES AND BACKEND SERVICES
BACKGROUND
The present invention, in some embodiments thereof, relates to digital identification management and, more specifically, but not exclusively, to an automatic digital identification management system supporting integration between consumer devices and backend services.
A trust service is defined as an electronic service that entails one of three possible actions. First it may concern the creation, the verification or the validation of electronic signatures, as well as time stamps or seals, electronically registered delivery services and certifications that are required with these services. The second action entails the creation, the verification as well as the validation of certificates that are used to authenticate websites. The third action is the preservation of these electronic signatures, the seals or the related certificates.
A trust service provider is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories. Trust service providers are qualified certificate authorities required, for example, in the European Union and in Switzerland in the context of regulated electronic signing procedures.
The trust service provider has the responsibility to assure the integrity of electronic identification for signatories and services through strong mechanisms for authentication, electronic signatures and digital certificates.
For example, Electronic Identification Digital Authentication Services (elDAS) is a European regulation that defines the standards for how trust service providers are to perform their services of authentication and non-repudiation. The regulation provides guidance to EU member states on how trust service providers shall be regulated and recognized. SUMMARY
It is an object of some embodiments of the present invention to provide a system and a method for digital identification management.
The foregoing and other objects are achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.
According to a first aspect of the invention, a system for managing secure access to backend services of different service providers, comprising: at least one processor adapted to execute a code for: managing an access to a backend services for each of a plurality of different service providers, by: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises: one or more access rules, and a unique identifier ,UID, on at least one client device; in response to each of the plurality of registration requests: issuing a digital certificate for the at least one client device;
registering the one or more access rules in association with the UID; and sending the digital certificate to the at least one client device; receiving, from the respective service provider code, a plurality of authentication requests, each authentication request comprises an indication of the respective digital certificate; in response to each of the plurality of authentication requests: performing an authentication analysis for the respective
authentication request based on the received indication and the respective one or more access rules; and sending the outcome of the authentication analysis to the respective service provider code so as to allow the respective service provider to determine access permission of at least one respective client device to a respective backend service of the plurality of backend services.
According to a second aspect of the invention, a method for managing secure access to backend services of different service providers, comprising: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises: one or more access rules, and a unique identifier, UID, on at least one client device; in response to each of the plurality of registration requests: issuing a digital certificate for the at least one client device; registering the one or more access rules in association with the UID; and sending the digital certificate to the at least one client device; receiving, from the respective service provider code, a plurality of authentication requests, each authentication request comprises an indication of the respective digital certificate; in response to each of the plurality of authentication requests: performing an authentication analysis for the respective authentication request based on the received indication and the respective one or more access rules; and sending the outcome of the authentication analysis to the respective service provider code so as to allow the respective service provider to determine access permission of at least one respective client device to a respective backend service of the plurality of backend services.
With reference to the first and second aspects, in a first possible implementation of the first and second aspects of the present invention, optionally, wherein the one or more access rules determine access to the plurality of backend services according to predetermined spatial locations and/or predetermined time intervals.
With reference to the first and second aspects, or the first implementation of the first and second aspects, in a second possible implementation of the first and second aspects of the present invention, optionally, further comprising sending updates related to a backend service from the service provider code to the client device, while the client device is authenticated to access the backend service.
With reference to the first and second aspects, or the first or second implementations of the first and second aspects, in a third possible implementation of the first and second aspects of the present invention, optionally, wherein the service provider requires registration and each registration is valid for a limited time window associated with the respective registration.
With reference to the first and second aspects, or the first, second, or third
implementations of the first and second aspects, in a fourth possible implementation of the first and second aspects of the present invention, optionally, wherein the backend service is a wireless networking service.
With reference to the first and second aspects, or the first, second, third, or fourth implementations of the first and second aspects, in a fifth possible implementation of the first and second aspects of the present invention, optionally, wherein the client device is used by a client and/or vehicle. With reference to the first and second aspects, or the first, second, third, fourth, or fifth implementations of the first and second aspects, in a sixth possible implementation of the first and second aspects of the present invention, optionally, wherein the service provider controls access to an enclosure.
With reference to the first and second aspects, or the first, second, third, fourth, fifth, or sixth implementations of the first and second aspects, in a seventh possible implementation of the first and second aspects of the present invention, optionally, wherein the client device is used by a person and/or vehicle requesting access to the enclosure.
With reference to the first and second aspects, or the first, second, third, fourth, fifth, sixth, or seventh implementations of the first and second aspects, in an eighth possible implementation of the first and second aspects of the present invention, optionally, wherein the backend service comprises accessing the enclosure by the person and/or vehicle.
With reference to the first and second aspects, or the first, second, third, fourth, fifth, sixth, seventh or eighth implementations of the first and second aspects, in a ninth possible implementation of the first and second aspects of the present invention, optionally, wherein the person and/or vehicle are authenticated by the service provider based on the respective UID and one or more access rules.
Other systems, methods, features, and advantages of the present disclosure will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims.
Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the invention pertains. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments of the invention, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting. BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
Some embodiments of the invention are herein described, by way of example only, with reference to the accompanying drawings. With specific reference now to the drawings in detail, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of embodiments of the invention. In this regard, the description taken with the drawings makes apparent to those skilled in the art how embodiments of the invention may be practiced.
In the drawings:
FIG. 1 is an exemplary layout of the various components of an automatic digital identification management system, according to some embodiments of the present invention;
FIG. 2 is an exemplary dataflow of a process of registration and certification of a client device by a service provider code and an identity management code, according to some embodiments of the present invention;
FIG. 3 is an exemplary dataflow of a process of authenticating at least one client device for a purpose of connecting to at least one backend service, according to some embodiments of the present invention;
FIG. 4 is an exemplary dataflow for a registration and authentication of a client device by an SP and the IM system, according to some embodiments of the present invention; and
FIG. 5 is an exemplary dataflow for a registration and authentication of a client device and a vehicle by an SP and the IM system, according to some embodiments of the present invention.
DETAILED DESCRIPTION
The present invention, in some embodiments thereof, relates to automatic digital identification management and, more specifically, but not exclusively, to an automatic digital identification management system supporting integration between consumer devices and backend services. According to some embodiments of the present invention there are provided digital identification systems (hereby also known as‘digital authentication systems’) and methods in which clients and/or consumers are authenticated in order to bind a client/consumer device to at least one backend service according to an access rule. For example, a service provider such as an airline may authenticate pre-registered passengers to access a backend service comprising a wireless network installed at a reception area at an airport terminal, wherein the access rule may be a time period until flight boarding.
According to some embodiments of the present invention there is provided a system which applies to managing secure access to backend services of different service providers.
According some embodiments of the present invention, there is provided a method for managing secure access to backend services of different service providers comprising several functional stages. Initially, according to some embodiments of the present invention, an identity management (IM) code receives, via a computer network, a plurality of registration requests, for accessing a plurality of backend services of a respective service provider (SP), from an SP code of the respective SP.
Optionally, each registration request comprises one or more access rules, and a unique identifier (UID) on at least one client device. Following each registration request, the IM code issues a digital certificate (for example, an x.509 digital certificate) for each respective client device, which may be facilitated by a third party, such as a trusted service. Next, the IM code registers the one or more respective access rules with the respective UID, optionally in a storage medium, local and/or cloud based, and sends the digital certificate to one or more respective client device codes, wherein the respective client device codes install the digital certificate on one or more respective client devices and configure access to one or more of the plurality of backend services.
Next, the IM code may receive via the computer network, a plurality of authentication requests, each request sent from a respective SP code from a respective SP, comprising an indication of a respective digital certificate.
For each of the plurality of received authentication requests, the IM code performs an authentication analysis based on the received indication and respective one or more access rules associated with a respective digital certificate. An outcome of each authentication analysis is sent to a respective SP code, which determines access permission of at least one respective client device to a respective backend service.
Existing solutions for client identity authentication in order to bind a client/consumer device to a backend service often require using a dedicated service provider application, which unlike the system described herein, does not enable management of client
authentication in a general and universal manner which is unrelated to any specific service provider or specific backend service. Furthermore, the existing solutions require client interaction in order to achieve backend service onboarding, usually consisting one or more of: typing a password, accessing a portal, applying near field communication (NFC) tagging or quick response (QR) codes for configuration, or using pre-installed digital certificates. While client device authentication using pre-installed digital certificates does not require active client interaction, existing solutions only support enterprise devices, for example binding organizational leased devices by extensible authentication protocol-transport layer scheme (EAP-TFS) over a local area network (FAN).
The system described herein may display several advantages over existing solutions:
1. Enables client devices access to backend services without any configurations at time of access.
2. Enables an improved user experience in personalized updates from the SP code to onboard client devices, and a discrete push data service.
3. Enables rapid added value service deployment based on client devices UID authentication.
Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and the arrangement of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or the Examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.
The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention. The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
The flowchart and block diagrams in the Figures illustrate the architecture,
functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical fimction(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
Reference is now made to FIG. 1, which is a depiction of system components in a according to some embodiments of the present invention. The system is used for managing secure access to backend services of different service providers, unrestricted by types of service providers or backend services. For example, the system may be used by a hotel which grants automatic wireless connectivity to registered clients within their booking period, and/or the hotel may allow access to free parking or any other services according to a plurality of access rules such as booking period and/or VIP access for valued clients.
There are three component types included, an IM system 100, one or more SP’s 108, which are associated each with one or more client device(s) 116. The IM system 100, includes an IM I/O interface 102, an IM storage 104, and one or more IM processor(s) 106. The IM I/O interface 102 receives as inputs registration requests, digital certificate and authentication requests for client devices from SP’s 108, and outputs digital certificates to respective client device(s) 116, and client device authentication verifications to SP code of respective SP’s.
The IM storage 104, stores client certificate requests and respective access rule(s), SP’s 108 registration details, and IM code which comprises instructions for managing access to a plurality of backend services of a plurality of service providers. The one or more IM processor(s) 106 is/are adapted to execute the IM code located in the IM storage 104.
The one or more SP(s) 108, each have an SP I/O interface 110, an SP storage 112, and one or more SP processor(s) 114. The SP I/O interface 110, outputs SP registration requests to the IM system 100, client device 116 digital certificate issue requests, client device authentication requests, added value service related updates to client device(s), and receives as inputs client devices authentication analysis verifications from the IM system. The SP storage 112, stores client registration details, client authentication verifications, and code instructions for SP code which comprises instructions for managing client device access to a plurality of backend services. The one or more SP processor(s) 114 is/are adapted to execute the SP code located in the SP storage 112.
The one or more client device(s) 116, each have a client device I/O interface 118, a client device storage 120, and one or more client device processor(s) 122. The client device I/O interface 118, receives as inputs client registration data from clients, client digital certificates from the IM code, and service related updates from the SP code. The client device storage 120, is allocated on each client device by a respective client device, and stores a respective digital certificate for each client device, backend services configuration values, and added value service updates. The client device storage also stores client device code, which comprises instructions for receiving and installing digital certificate from the IM system, and for configuring backend services of respective SP’s. The one or more client device processor(s) 122 is/are adapted to execute the client device code located in the client device storage 120.
The various system components may be implemented as software and/or firmware.
Reference is also made to FIG. 2, which is an exemplary dataflow of a process of registration and digital certification of a client device, according to some embodiments of the present invention. First, as shown at 200, at least one client device, for instance a mobile device and/or a laptop operated by a client may request access to a service by means of a point of sale (POS) and/or registration as shown in 202. For example, the service may be booking a hotel room, which is accessed by a website registered to a hotel or a third party. Next, as shown in 204, the respective SP code receives a registration request from the client device(s). Next, as shown in 206, the SP code sends a digital certificate request via the computer network to the IM system 100, according to a client UID and respective access rule(s). For example, a client UID may be based on the client device phone number, and the access rule(s) may be derived by the service provider module according to the registration, for example, an access rule may be a time frame corresponding to a respective room booking period. Next, as shown in 208, the IM system receives the certificate across the computer network, and as shown in 210, the IM system processes the request according to the IM codes and issues a digital certificate according to the client UID and respective access rule(s). The digital certificate may comprise, for example, an x.509 certificate, which may include a respective time period for validity of the certificate. As show in 212 the IM system sends the digital certificate to the client device(s) via the computer network, which install(s) the digital certificate and configures the requested backend service(s) according to instructions in the client device code.
Reference is also made to FIG. 3, which is an exemplary dataflow of a process of authenticating at least one client device for a purpose of connecting to at least one backend service, according to some embodiments of the present invention. Following a registration of a client device(s), and issuing of digital certification as depicted in FIG. 2, a client may attempt to access a respective backend service(s). For example, a client may enter a location with a client device which attempts to automatically connect to a backend service such as a wireless network.
First, as shown in 300, one or more client device(s), such as a mobile phone and/or a laptop, attempts to access a respective backend service of a respective SP. A respective digital certificate pre-installed on the client device(s) following registration as depicted in FIG. 2, may be sent automatically by the client device(s), as part of an authentication process in accessing the respective backend service(s). Next, as shown in 302, a respective SP receives the digital certificate, as a credential to be authenticated. Next, the SP code executed on the respective SP sends the digital certificate as an authentication request to the IM system, as shown in 304. Next, as shown in 306, the IM system code, executed on the IM system processor(s) performs a respective authentication analysis for the received authentication request, according to the digital certificate and respective access rule(s). For example, a client certificate may contain a first time period beyond a scope of a second time period as defined by a respective access rule associated to a respective UID, and in that case an authentication analysis performed by the IM system may return an access denial.
Next, as shown in 308, results of the authentication analysis are sent by the IM system via the computer network to a respective SP, which enables automatic access of the respective client device(s) to registered backend service(s). In addition the SP code may send onboard client device(s) occasional updates. For example, a guest in a resort may receive updates via a wireless network to his/her mobile phone regarding dining times, or
personalized messages based on a respective UID.
Reference is also made to FIG. 4, which is an exemplary dataflow for a registration and authentication of a client device by an SP and the IM system, according to some embodiments of the present invention. For example, the SP may be a hotel computer connected to the IM system via a computer network, and the client device may be a mobile phone through which the client makes a hotel booking via a hotel website. As shown in 400, 402, 404, 406, four components are included in the example, a client device, a point of sale (POS)/registration, an SP supporting a backend service such as a wireless network, and the IM system respectively. First, as shown in 408, the hotel computer, registers with the IM system using a computer network such as the World Wide Web (WWW), and installs a computer program (app) which includes the SP code. Next, as shown in 410, a client operating a client device 400, such as a mobile phone, books a service from the hotel computer 404, for example, a client books a room for a hotel via a website (a POS for the hotel) 402. Next, as shown in 412, the website 402 sends the booking to the app installed on the hotel computer 404. Next, as shown in 414, the app sends a digital certification request to the IM system according to the clients booking. (For example a 24 hour period). As shown in 416, the IM system sends a digital certificate directly back to the client device, for example, by using the client UID, which may be a phone number. Next, as shown in 418, the client device code installs the received digital certificate and configures wireless connectivity for the hotel wireless network.
Next, following successful registration of the client, as shown in 420, the client may arrive at the hotel on the day of booking, and the client device(s) attempt to access the hotels wireless network. Next, as shown in 422, the app on the hotels computer delegates authentication of the client device(s) to the IM system. The IM system performs an authentication analysis according to records on the IM system storage and sends an authentication result, as shown in 424, to the app on the hotel computer. If the authentication result verifies the client device(s), then the client device(s) automatically connect to the hotels wireless network. Following successful verification of the client device(s) the hotel computer may send additional updates, as shown in 426, to the client device(s), such as personalized messages like dinner times changes, special offers, and messages left at reception for the respective client, which may improve overall user experience.
Reference is also made to FIG. 5, which is an exemplary dataflow for a registration and authentication of a client device and a vehicle, according to some embodiments of the present invention. For example, FIG. 5 may describe registration and authentication of a utility vehicle and driver, which attempt to access a gated community for performing a service, such as garbage removal. As shown in 500, 502, 504, 506, four components are included in the example, a client device and truck, a community administration office, an SP supporting a backend service such as community computer controlling a gate to the gated community, and the IM system respectively. First, as shown in 508, the community computer, registers with the IM system via a computer network such as the World Wide Web (WWW), and installs the app, which includes the SP code.
Next, as shown in 510, the community administration office 502 registers a driver client device, such as a mobile phone/tablet, according to a UID, and a vehicle. Next, as shown in 512, the community administration office requests a digital certificate for a respective driver device and vehicle, which is then sent to the respective driver device and vehicle 500 for installation, as shown in 514 and 516.
Next, following successful registration of the driver’s device and vehicle, as shown in 518, the respective driver and vehicle may arrive at the gated community to perform, for example, a garbage collection service. Following arrival of the vehicle to the community computer/gate 504, the driver device may be detected by a proximity sensor, as shown in 520. Next, as shown in 522, the driver device and vehicle are authenticated by the community computer/gate 504 by delegating authentication to the IM system. As shown in 524, the IM system performs an authentication analysis for the respective driver device and vehicle, and when the authentication analysis is valid, the community computer may grant automatic access to the driver device and vehicle to the gated community to perform the respective service. The example depicted in FIG. 5 may improve security for gated communities, reduce service costs, and provide a seamless experience for service providing drivers.
Other systems, methods, features, and advantages of the present disclosure will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims.
The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
It is expected that during the life of a patent maturing from this application many relevant systems, methods and computer programs will be developed and the scope of the term fuzzing is intended to include all such new technologies a priori.
As used herein the term“about” refers to ± 10 %.
The terms "comprises", "comprising", "includes", "including",“having” and their conjugates mean "including but not limited to". This term encompasses the terms "consisting of' and "consisting essentially of'.
The phrase "consisting essentially of' means that the composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
As used herein, the singular form "a", "an" and "the" include plural references unless the context clearly dictates otherwise. For example, the term "a compound" or "at least one compound" may include a plurality of compounds, including mixtures thereof.
The word“exemplary” is used herein to mean“serving as an example, instance or illustration”. Any embodiment described as“exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the incorporation of features from other embodiments.
The word“optionally” is used herein to mean“is provided in some embodiments and not provided in other embodiments”. Any particular embodiment of the invention may include a plurality of“optional” features unless such features conflict.
Throughout this application, various embodiments of this invention may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example,
1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.
Whenever a numerical range is indicated herein, it is meant to include any cited numeral (fractional or integral) within the indicated range. The phrases“ranging/ranges between” a first indicate number and a second indicate number and“ranging/ranges from” a first indicate number“to” a second indicate number are used herein interchangeably and are meant to include the first and second indicated numbers and all the fractional and integral numerals therebetween.
It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.
All publications, patents and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting.

Claims

1. A system for managing secure access to backend services of different service providers, comprising:
at least one processor adapted to execute a code for:
managing an access to a backend services for each of a plurality of different service providers, by:
1) receiving, from a service provider module of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises:
one or more access rules, and
a unique identifier, UID, for a client device;
2) in response to each of the plurality of registration requests:
issuing a digital certificate for the client device;
registering the one or more access rules in association with the UID; and sending the digital certificate to the client device;
3) receiving, from the respective service provider module, a plurality of authentication requests, each authentication request comprises an indication of the respective digital certificate;
4) in response to each of the plurality of authentication requests:
performing an authentication analysis for the respective authentication request based on the received indication and the respective one or more access rules; and
sending the outcome of the authentication analysis to the respective service provider module so as to allow the respective service provider to determine access permission of the respective client device to a respective backend service of the plurality of backend services.
2. The system of claim 1, wherein the one or more access rules determine access to the plurality of backend services according to predetermined spatial locations and/or predetermined time intervals.
3. The system of any of the previous claims, further comprising periodically sending updates related to a backend service from the service provider module to the client device, while the client device is authenticated to access the backend service.
4. The system of any of the previous claims, wherein the service provider requires registration, and each registration is valid for a limited time window associated with the respective registration.
5. The system of claim 4, wherein the backend service is a wireless networking service.
6. The system of claim 5, wherein the client device is used by a client and/or vehicle.
7. The system of any of the previous claims, wherein the service provider controls access to an enclosure.
8. The system of claim 7, wherein the client device is used by a person and/or vehicle requesting access to the enclosure.
9. The system of claim 8, wherein the backend service comprises accessing the enclosure by the person and/or vehicle.
10. The system of claim 9, wherein the person and/or vehicle are authenticated by the service provider based on the respective UID and one or more access rules.
11. A method for managing secure access to backend services of different service providers, comprising:
managing an access to a backend services for each of a plurality of different service providers, by:
1) receiving, from a service provider module of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprises:
one or more access rules, and
a unique identifier, UID, for a client device;
2) in response to each of the plurality of registration requests:
issuing a digital certificate for the client device;
registering the one or more access rules in association with the UID; and sending the digital certificate to the client device; 3) receiving, from the respective service provider module, a plurality of authentication requests, each authentication request comprises an indication of the respective digital certificate;
4) in response to each of the plurality of authentication requests:
performing an authentication analysis for the respective authentication request based on the received indication and the respective one or more access rules; and
sending the outcome of the authentication analysis to the respective service provider module so as to allow the respective service provider to determine access permission of the respective client device to a respective backend service of the plurality of backend services.
PCT/EP2018/081376 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services WO2020098941A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/EP2018/081376 WO2020098941A1 (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services
EP18803969.7A EP3861795A1 (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services
CN201880099377.3A CN112997537B (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer device and back-end service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/081376 WO2020098941A1 (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services

Publications (2)

Publication Number Publication Date
WO2020098941A1 true WO2020098941A1 (en) 2020-05-22
WO2020098941A8 WO2020098941A8 (en) 2020-07-09

Family

ID=64332080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/081376 WO2020098941A1 (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services

Country Status (3)

Country Link
EP (1) EP3861795A1 (en)
CN (1) CN112997537B (en)
WO (1) WO2020098941A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227636A1 (en) * 2012-02-24 2013-08-29 Appthority, Inc. Off-device anti-malware protection for mobile devices
US8561142B1 (en) * 2012-06-01 2013-10-15 Symantec Corporation Clustered device access control based on physical and temporal proximity to the user
US20150264051A1 (en) * 2014-03-14 2015-09-17 Cable Television Laboratories, Inc. Automated wireless device provisioning and authentication
US20170257360A1 (en) * 2016-03-03 2017-09-07 Blackberry Limited Accessing enterprise resources
US20180004933A1 (en) * 2016-07-01 2018-01-04 Martin D. Nathanson System for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8418234B2 (en) * 2005-12-15 2013-04-09 International Business Machines Corporation Authentication of a principal in a federation
CN105933315B (en) * 2016-04-21 2019-08-30 浪潮集团有限公司 A kind of network service safe communication means, device and system
CN108206821A (en) * 2016-12-20 2018-06-26 航天信息股份有限公司 A kind of identity authentication method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227636A1 (en) * 2012-02-24 2013-08-29 Appthority, Inc. Off-device anti-malware protection for mobile devices
US8561142B1 (en) * 2012-06-01 2013-10-15 Symantec Corporation Clustered device access control based on physical and temporal proximity to the user
US20150264051A1 (en) * 2014-03-14 2015-09-17 Cable Television Laboratories, Inc. Automated wireless device provisioning and authentication
US20170257360A1 (en) * 2016-03-03 2017-09-07 Blackberry Limited Accessing enterprise resources
US20180004933A1 (en) * 2016-07-01 2018-01-04 Martin D. Nathanson System for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices

Also Published As

Publication number Publication date
EP3861795A1 (en) 2021-08-11
WO2020098941A8 (en) 2020-07-09
CN112997537B (en) 2022-10-18
CN112997537A (en) 2021-06-18

Similar Documents

Publication Publication Date Title
CN108200050B (en) Single sign-on server, method and computer readable storage medium
US9990786B1 (en) Visitor credentials
US9537661B2 (en) Password-less authentication service
AU2017301941B2 (en) Activity-triggered provisioning of portable wireless networks
US8847729B2 (en) Just in time visitor authentication and visitor access media issuance for a physical site
US20180035248A1 (en) Activity-triggered provisioning of portable wireless networks
KR102534167B1 (en) Elevator request authorization system for a third party
US20180324172A1 (en) Single sign-on for remote applications
US20150135275A1 (en) Authorization server system, control method therefor, and storage medium
US20190342284A1 (en) Secure gateway onboarding via mobile devices for internet of things device management
CN105262780B (en) A kind of authority control method and system
US20130144633A1 (en) Enforcement and assignment of usage rights
US11095653B2 (en) Secure provisioning of unknown devices through trusted third-party devices
US20210365544A1 (en) Systems and methods for leveraging internet identity for digital credentialing
US9256717B2 (en) Managed mobile media platform systems and methods
CN108701175A (en) User account and enterprise work space correlation are joined
CA3024158C (en) Method and apparatus for issuing a credential for an incident area network
EP3483102B1 (en) Elevator request authorization system
US9590997B2 (en) System and method for accessing a service
EP3062254B1 (en) License management for device management system
KR102495953B1 (en) System and Method for Generating mobile key of Lodging
WO2020098941A1 (en) Automatic digital identification system integrated between consumer devices and backend services
KR101627896B1 (en) Authentication method by using certificate application and system thereof
US20230016358A1 (en) Day zero user access to enterprise resources
KR20220137590A (en) Method and apparatus for providing user profile

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18803969

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2018803969

Country of ref document: EP

Effective date: 20210506

NENP Non-entry into the national phase

Ref country code: DE