US20180183835A1 - Forward one-time-use physical access verification apparatus, system, and method of operation - Google Patents
Forward one-time-use physical access verification apparatus, system, and method of operation Download PDFInfo
- Publication number
- US20180183835A1 US20180183835A1 US15/390,507 US201615390507A US2018183835A1 US 20180183835 A1 US20180183835 A1 US 20180183835A1 US 201615390507 A US201615390507 A US 201615390507A US 2018183835 A1 US2018183835 A1 US 2018183835A1
- Authority
- US
- United States
- Prior art keywords
- verification code
- access
- access request
- controller
- physical access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2365—Ensuring data consistency and integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/907—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
- G06F16/908—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/21—Individual registration on entry or exit involving the use of a pass having a variable access code
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/215—Individual registration on entry or exit involving the use of a pass the system having a variable access-code, e.g. varied as a function of time
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/22—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
- G07C9/23—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/27—Individual registration on entry or exit involving the use of a pass with central registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/121—Timestamp
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/61—Time-dependent
Definitions
- the disclosure relates to physical access control over portals.
- What is needed is a way to control a physical access portal upon determination that a counterfeit, clone, or duplicate of a physical access control device is attempting an intrusion or has already intruded.
- a physical access control system checks a sequence of access requests and determines when indicia are unusually presented out of order or reiterated.
- a portal controller apparatus receives a plurality of physical access requests that includes at a minimum the users' access credential (access requests) from a plurality of mobile application devices. Because mobility is desired with the least amount of friction, a wireless coupling is utilized. Bluetooth, RFID, Wi-Fi, infrared, optical, and cellular communication channels are exemplary but non-limiting embodiments of wireless links.
- the controller determines for each mobile application device (app device) a sequence of access requests which at minimum has at least a first access request and a second access request.
- the controller Upon authenticating the first access request (predecessor), the controller writes into non-transitory storage a one-time verification code specific to an immediately subsequent second access request (successor) from the same app device.
- the controller Upon receiving a successor, the controller performs an authentication process by matching the stored one-time verification code associated with the predecessor.
- the wireless apparatus controls physical access through a portal by forward verification of one-time-use codes submitted by a mobile application device.
- the system forward verifies a single physical access control code upon each successful physical access request.
- the apparatus sets a flag that triggers an action when a one-time-use code is received out of sequence.
- the controller receives a plurality of physical access requests from a plurality of mobile application devices.
- the controller determines for each mobile application device a sequence of access requests comprising at least a first access request and a second access request.
- FIGS. 1-2 are block diagrams of the system and components of apparatus embodiments
- FIGS. 3-5 are flow charts of method embodiments.
- FIG. 6 is a block diagram of a processor suitable for performing a method embodiment of the invention.
- An apparatus controls physical access by actuating portals.
- Wireless devices present credentials and other indicia that are reconciled by a cloud server.
- the indicia are checked for continuity in a chain.
- Each successful access adds another level of credibility which is deprecated when the indicia seems out of sequence or reiterated.
- a timestamp included in a first physical access request is used to verify a subsequent second physical access request.
- the timestamp may be transformed e.g. by masking to describe a range of time.
- the subsequent second physical access request must include the transformed timestamp of the predecessor.
- the controller sets a flag of questionable chain of control associated with the app device.
- each newer one-time verification code is synthesized by the app device and transmitted in both a predecessor and successor request.
- each newer one-time verification code is a transformation of a timestamp read from the system clock of the app device.
- each newer one-time verification code is synthesized as transformation of the predecessor and transmitted only in the successor.
- each newer one-time verification code is a transformation of the result of authentication of the predecessor request.
- a flag of questionable chain of control causes an access control policy to be performed at the portal actuator.
- a range of time related to the last successful physical access request is transformed into a forward verification code.
- the difference in time between a request and the last successful physical access request by that sender is transformed into a forward verification code.
- a mask of least significant bits provides a range of time relating a request and the last successful physical access request by that sender is transformed into a forward verification code.
- a masked timestamp of the most recent successful physical access control request is transformed into a forward verification code.
- the physical access controller apparatus enables a portal actuator upon verification of said successor access request only on the condition that a verification code in the successor is accepted.
- the verification code is provided in the payload of the predecessor.
- the verification code is derived from a seed provided in the payload of the predecessor.
- the verification code is a transformation of the metadata associated with the successful submission of the predecessor.
- the transformation process may include hashing.
- the transformation process may include hashing a masked string of metadata to allow a range.
- the transformation process may include hashing a masked timestamp of the acknowledgement of the predecessor access request.
- the delta time between the predecessor and successor timestamps is a seed for a verification code.
- a visualization of the history of verification codes would be a chain of single links. If a link is received that attaches onto other than the latest link, the system denies access and resets the verification process.
- a cloud server 210 is communicatively coupled to at least one mobile application device 220 - 280 and further coupled to a physical access controller apparatus 290 at some point in time but not necessary communicating at the time of the point of entry attempt.
- the cloud server 210 includes a non-transitory store of instructions 212 ; a non-transitory store of digital signatures, credentials, and identities 214 ; a communication controller to mobile application devices 216 ; a communication channel to all physical access controllers 218 ; and a processor 219 .
- Each mobile application device 220 includes a non-transitory store of instructions 222 ; a non-transitory store of physical access request meta data 224 ; a wireless portal channel transceiver 226 ; a wireless communication channel to the cloud server 228 ; and a processor 229 .
- a physical access controller 290 apparatus includes a non-transitory store of instructions 292 ; a non-transitory store of verification codes 294 ; a wireless portal beacon and receiver 296 ; a communication channel to the cloud server 298 ; a processor 299 , and an actual control output to control the access of a portal (e.g. the door) 291 .
- the method of operation of the cloud server is to distribute 310 a version controlled application (smart app) and indicia of credentials and authentication to the acc controller and the at least one app device.
- a smart app could also be pre installed on the app device.
- a smart app is installed over the air from another software distribution point of origin (e.g. AppleTM's App Store).
- the method of operation at a cloud server includes: receiving a message causing initialization/update of one or more app devices 311 ; authenticating the message originates from a trusted source 312 ; authenticating the device or apparatus to be served 313 ; verifying physical location of device or apparatus 314 ; authenticating the operator of the device 315 ; updating a system authentication value 316 ; updating a list of authorized portals 317 ; updating certificates and digital signatures 318 ; and updating version of instructions 319 .
- the method of operation 420 shown in FIG. 4 includes: formulating 422 a first physical access request (predecessor) in response to a first signal from a first suitable wireless transceiver associated with a portal controller; transmitting 424 the predecessor and storing meta data of its receipt and acceptance into a non-transitory store; formulating 426 a second physical access request (successor) by transforming the meta data of the most recent receipt and acceptance of said predecessor into a verification code; and transmitting 428 the successor and storing meta data of its receipt and acceptance into the non-transitory store.
- the method 420 further includes: transforming 423 a physical access request with a timestamp; and deleting 425 meta data records on the condition of failure in receipt or acceptance of any access request.
- the method 420 further includes: reading 427 the device system clock as an input to transforming the access request; and masking 429 the device system clock value to provide a range of time.
- the method of 420 further includes: receiving 421 an updated set of versioned authentication credentials, instructions, and authorized access portals.
- the method of operation 590 of a physical access controller apparatus includes: receiving 592 at least two physical access requests (access requests) in sequence from a mobile application device wherein said two access requests are a predecessor and a successor; writing 594 at least one verification code into non-transitory store; determining 596 when a verification code associated with a successor access request is acceptable; and enabling 598 a physical access portal actuator.
- the method 590 further includes determining 593 a verification code for the successor by operating on the data and meta data of the predecessor; and transforming 595 the data and meta data of the successor into a pair of chained verification codes.
- the method 590 further includes: determining 597 when a verification code presented by a successor access request is unacceptable; and blocking 599 an access request and initiating a policy at the cloud server.
- the method 590 further includes upon initiation, distributing an update version 591 of a smart app to at least one mobile application device and one access controller.
- the distinguishing aspect of the one time code is that it is “new” and not “reused”.
- the controller merely stores the last used one-time code. The next access must include this last used code (validated), and a new code (stored for next access).
- One aspect of the invention is a mobile application device (app device) for physical access that has: a wireless transceiver; a processor and a system clock; a non-transitory store configured with authentication certificates; a physical access application; and a non-transitory store for at least two one-time verification codes.
- the app device also has a non-transitory store for a system authentication value (SAV), a credential, a user ID, and executable code for hashing and transacting requests; and a circuit to transform indicia into a physical access control request.
- SAV system authentication value
- the app device also has a circuit to synthesize a forward one-time verification code from a timestamp of its system clock.
- the app device synthesizes a forward one-time verification code pseudo-randomly.
- the app device also has a circuit to synthesize a forward one-time verification code upon a successful physical access control request.
- Another aspect of the invention is a system that has: a plurality of mobile application devices (app devices); a physical access controller (access controller) communicatively coupled to said devices; and a cloud security service server; wherein said access controller includes a non-transitory store of sequential access codes associated with each user id and credentials verified by the cloud security service server; a transceiver to receive and acknowledge physical access requests; a circuit to operate a portal actuator; and a non-transitory store of security policies.
- each access controller receives an updated one-time code for each app device from any other access controller.
- each access controller recognizes only one-time codes derived from its own span of portals or individually for each portal.
- the system also has: a circuit to verify a physical access request with a stored forward verification code.
- the system also has: a circuit to perform a security policy on the condition the verification of a physical access request fails.
- the system also has: a circuit to cause app devices and access controllers to advance a system authentication value.
- the system also has: a circuit to extract and store a forward verification code from a last successful physical access request.
- the system also has: a circuit to determine a forward verification code for a user upon last successful physical access request.
- Another aspect of the invention is a method for control of a physical access portal comprising the processes: at a controller, receiving a plurality of physical access requests (access requests) from a plurality of mobile application devices; at the controller, determining for each mobile application device (app device) a sequence of access requests comprising at least a first access request and a second access request; at the controller, upon authenticating the first access request (predecessor), writing into non-transitory storage a one-time verification code specific to an immediately subsequent second access request (successor) from the same app device; and at the controller, upon receiving a successor, performing an authentication process by matching the stored one-time verification code associated with the predecessor.
- the method also has: on the condition the authentication process passes, writing a newer one-time verification code into non-transitory storage specific to yet another immediately subsequent successor.
- the method also has: on the condition the authentication process fails, setting a flag of questionable chain of control associated with the app device.
- each newer one-time verification code is synthesized by the app device and transmitted in both a predecessor and successor request.
- each newer one-time verification code is a transformation of a timestamp read from the system clock of the app device.
- each newer one-time verification code is synthesized as transformation of the predecessor and transmitted only in the successor.
- each newer one-time verification code is a transformation of the result of authentication of the predecessor request.
- a flag of questionable chain of control causes an access control policy to be performed at the portal actuator wherein, an access control policy includes at least one of an access denial to a request from a user, or a device; an iteration of system authentication value; a version update; a reauthentication process at a mobile application device; and transmission of a notification to an access control system administrator.
- the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code read from non-transitory storage that was previously received as a component of the most recently successful access request.
- the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code that is determined by a second approximate elapsed time from the first access request to the second access request measured at the portal controller.
- the app device and the portal controller each determine a verification code for a second physical access request based on the masked timestamp of the first physical access request.
- the verification code for the second physical access request is only transmitted once.
- the masking supports a range of precision or offset between the clock of the app device and the portal controller.
- circuits disclosed above may be embodied by programmable logic, field programmable gate arrays, mask programmable gate arrays, standard cells, and computing devices limited by methods stored as instructions in non-transitory media.
- a computing devices 600 can be any workstation, desktop computer, laptop or notebook computer, server, portable computer, mobile telephone or other portable telecommunication device, media playing device, a gaming system, mobile computing device, or any other type and/or form of computing, telecommunications or media device that is capable of communicating on any type and form of network and that has sufficient processor power and memory capacity to perform the operations described herein.
- a computing device may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions, including, without limitation, any type and/or form of web browser, web-based client, client-server application, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on a computing device.
- FIG. 6 depicts block diagrams of a computing device 600 useful for practicing an embodiment of the invention.
- each computing device 600 includes a central processing unit 621 , and a main memory unit 622 .
- a computing device 600 may include a storage device 628 , an installation device 616 , a network interface 618 , an I/O controller 623 , display devices 624 a - n, a keyboard 626 , a pointing device 627 , such as a mouse or touchscreen, and one or more other I/O devices 630 a - n such as baseband processors, Bluetooth, GPS, and Wi-Fi radios.
- the storage device 628 may include, without limitation, an operating system and software.
- the central processing unit 621 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 622 .
- the central processing unit 621 is provided by a microprocessor unit, such as: those manufactured under license from ARM; those manufactured under license from Qualcomm; those manufactured by Intel Corporation of Santa Clara, Calif.; those manufactured by International Business Machines of Armonk, N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale, Calif.
- the computing device 600 may be based on any of these processors, or any other processor capable of operating as described herein.
- Main memory unit 622 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 621 .
- the main memory 622 may be based on any available memory chips capable of operating as described herein.
- the computing device 600 may include a network interface 618 to interface to a network through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1 , T3, 56 kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above.
- standard telephone lines LAN or WAN links (e.g., 802.11, T1 , T3, 56 kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above.
- LAN or WAN links e.g., 802.11, T1 , T3, 56 kb, X.25, SNA, DECNET
- broadband connections e.g., IS
- Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, CDMA, GSM, WiMax and direct asynchronous connections).
- communication protocols e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, CDMA, GSM, WiMax and direct asynchronous connections.
- the computing device 600 communicates with other computing devices 600 via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS).
- SSL Secure Socket Layer
- TLS Transport
- the network interface 618 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 600 to any type of network capable of communication and performing the operations described herein.
- a computing device 600 of the sort depicted in FIG. 6 typically operates under the control of operating systems, which control scheduling of tasks and access to system resources.
- the computing device 600 can be running any operating system such as any of the versions of the MICROSOFT WINDOWS operating systems, the different releases of the Unix and Linux operating systems, any version of the MAC OS for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein.
- Typical operating systems include, but are not limited to: WINDOWS 10, manufactured by Microsoft Corporation of Redmond, Wash.; MAC OS and iOS, manufactured by Apple Inc., of Cupertino, Calif.; or any type and/or form of a Unix operating system.
- the computing device 600 may have different processors, operating systems, and input devices consistent with the device.
- the computing device 600 is a mobile device, such as a JAVA-enabled cellular telephone or personal digital assistant (PDA).
- PDA personal digital assistant
- the computing device 600 may be a mobile device such as those manufactured, by way of example and without limitation, Kyocera of Kyoto, Japan; Samsung Electronics Co., Ltd., of Seoul, Korea; or Alphabet of Mountain View Calif.
- the computing device 600 is a smart phone, Pocket PC Phone, or other portable mobile device supporting Microsoft Windows Mobile Software.
- the computing device 600 comprises a combination of devices, such as a mobile phone combined with a digital audio player or portable media player.
- the computing device 600 is device in the iPhone smartphone line of devices, manufactured by Apple Inc., of Cupertino, Calif.
- the computing device 600 is a device executing the Android open source mobile phone platform distributed by the Open Handset Alliance; for example, the device 600 may be a device such as those provided by Samsung Electronics of Seoul, Korea, or HTC Headquarters of Taiwan, R.O.C.
- the computing device 600 is a tablet device such as, for example and without limitation, the iPad line of devices, manufactured by Apple Inc.; the Galaxy line of devices, manufactured by Samsung; and the Kindle manufactured by Amazon, Inc. of Seattle, Wash.
- circuits include gate arrays, programmable logic, and processors executing instructions stored in non-transitory media provide means for scheduling, cancelling, transmitting, editing, entering text and data, displaying and receiving selections among displayed indicia, and transforming stored files into displayable images and receiving from keyboards, touchpads, touchscreens, pointing devices, and keyboards, indications of acceptance, rejection, or selection.
- the systems and methods described above may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof.
- the techniques described above may be implemented in one or more computer programs executing on a programmable computer including a processor, a storage medium readable by the processor (including, for example, volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
- Program code may be applied to input entered using the input device to perform the functions described and to generate output.
- the output may be provided to one or more output devices.
- Each computer program within the scope of the claims below may be implemented in any programming language, such as assembly language, machine language, a high-level procedural programming language, or an object-oriented programming language.
- the programming language may, for example, be PHP, PROLOG, PERL, C, C++, C#, JAVA, or any compiled or interpreted programming language.
- Each such computer program may be implemented in a computer program product tangibly embodied in a machine-readable storage device for execution by a computer processor.
- Method steps of the invention may be performed by a computer processor executing a program tangibly embodied on a computer-readable medium to perform functions of the invention by operating on input and generating output.
- Suitable processors include, by way of example, both general and special purpose microprocessors.
- the processor receives instructions and data from a read-only memory and/or a random access memory.
- Storage devices suitable for tangibly embodying computer program instructions include, for example, all forms of computer-readable devices, firmware, programmable logic, hardware (e.g., integrated circuit chip, electronic devices, a computer-readable non-volatile storage unit, non-volatile memory, such as semiconductor memory devices, including EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and nanostructured optical data stores. Any of the foregoing may be supplemented by, or incorporated in, specially-designed ASICs (application-specific integrated circuits) or FPGAs (Field-Programmable Gate Arrays).
- a computer can generally also receive programs and data from a storage medium such as an internal disk (not shown) or a removable disk.
- a computer may also receive programs and data from a second computer providing access to the programs via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc.
- the present invention is easily distinguished from conventional wireless apparatus physical access control systems by forward verification of one-time-use codes submitted by a mobile application device.
- the claimed invention forward verifies a single physical access control code upon each successful physical access request.
- the apparatus sets a flag that triggers an action when a one-time-use code is received out of sequence.
- the controller receives a plurality of physical access requests from a plurality of mobile application devices.
- the controller determines for each mobile application device a sequence of access requests comprising at least a first access request and a second access request.
- the controller Upon authenticating the first access request, the controller writes into storage a forward verification code specific to an immediately subsequent second access request from the same app device.
- the controller Upon receiving a successor, the controller performs an authentication process by matching the stored forward verification code associated with the predecessor.
- the authentication flows in only one direction.
- the invention does not depend on secret information passed back from each portal to the mobile app device.
- the forward verification determines a new code based on a successful access request.
- a range of time is supported for forward verification.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Library & Information Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
- None.
- Not Applicable.
- Not Applicable.
- Not Applicable.
- Not Applicable.
- The disclosure relates to physical access control over portals.
- What is known is that physical access can be enabled by presentation of a credential wirelessly but there is a risk that the signals may be recorded and replayed or that the sending device (or sending device data), may have been duplicated.
- What is known is that stored access control codes may be stolen, or maliciously reproduced.
- What is needed is a way to control a physical access portal upon determination that a counterfeit, clone, or duplicate of a physical access control device is attempting an intrusion or has already intruded.
- A physical access control system checks a sequence of access requests and determines when indicia are unusually presented out of order or reiterated.
- A portal controller apparatus receives a plurality of physical access requests that includes at a minimum the users' access credential (access requests) from a plurality of mobile application devices. Because mobility is desired with the least amount of friction, a wireless coupling is utilized. Bluetooth, RFID, Wi-Fi, infrared, optical, and cellular communication channels are exemplary but non-limiting embodiments of wireless links.
- The controller determines for each mobile application device (app device) a sequence of access requests which at minimum has at least a first access request and a second access request.
- Upon authenticating the first access request (predecessor), the controller writes into non-transitory storage a one-time verification code specific to an immediately subsequent second access request (successor) from the same app device.
- Upon receiving a successor, the controller performs an authentication process by matching the stored one-time verification code associated with the predecessor.
- On the condition the authentication process passes, a newer one-time verification code is written into non-transitory storage specific to yet another immediately subsequent successor.
- The wireless apparatus controls physical access through a portal by forward verification of one-time-use codes submitted by a mobile application device. The system forward verifies a single physical access control code upon each successful physical access request.
- The apparatus sets a flag that triggers an action when a one-time-use code is received out of sequence. The controller receives a plurality of physical access requests from a plurality of mobile application devices.
- The controller determines for each mobile application device a sequence of access requests comprising at least a first access request and a second access request.
- The foregoing and other objects, aspects, features, and advantages of the disclosure will become more apparent and better understood by referring to the following description taken in conjunction with the accompanying drawings, in which:
-
FIGS. 1-2 are block diagrams of the system and components of apparatus embodiments; -
FIGS. 3-5 are flow charts of method embodiments; and -
FIG. 6 is a block diagram of a processor suitable for performing a method embodiment of the invention. - An apparatus controls physical access by actuating portals. Wireless devices present credentials and other indicia that are reconciled by a cloud server. The indicia are checked for continuity in a chain. Each successful access adds another level of credibility which is deprecated when the indicia seems out of sequence or reiterated.
- In one embodiment of the invention, a timestamp included in a first physical access request (predecessor) is used to verify a subsequent second physical access request. The timestamp may be transformed e.g. by masking to describe a range of time. To be accepted, the subsequent second physical access request (successor) must include the transformed timestamp of the predecessor.
- On the condition the authentication process fails, the controller sets a flag of questionable chain of control associated with the app device.
- In an embodiment, each newer one-time verification code is synthesized by the app device and transmitted in both a predecessor and successor request.
- In an embodiment, each newer one-time verification code is a transformation of a timestamp read from the system clock of the app device.
- In an embodiment, each newer one-time verification code is synthesized as transformation of the predecessor and transmitted only in the successor.
- In an embodiment, each newer one-time verification code is a transformation of the result of authentication of the predecessor request.
- In an embodiment, a flag of questionable chain of control causes an access control policy to be performed at the portal actuator.
- In an embodiment, a range of time related to the last successful physical access request is transformed into a forward verification code. In an embodiment, the difference in time between a request and the last successful physical access request by that sender is transformed into a forward verification code. In an embodiment, a mask of least significant bits provides a range of time relating a request and the last successful physical access request by that sender is transformed into a forward verification code.
- In an embodiment, a masked timestamp of the most recent successful physical access control request is transformed into a forward verification code.
- The physical access controller apparatus enables a portal actuator upon verification of said successor access request only on the condition that a verification code in the successor is accepted. In an embodiment, the verification code is provided in the payload of the predecessor. In an embodiment, the verification code is derived from a seed provided in the payload of the predecessor. In an embodiment the verification code is a transformation of the metadata associated with the successful submission of the predecessor. The transformation process may include hashing. The transformation process may include hashing a masked string of metadata to allow a range. The transformation process may include hashing a masked timestamp of the acknowledgement of the predecessor access request.
- In an embodiment, the delta time between the predecessor and successor timestamps is a seed for a verification code.
- A visualization of the history of verification codes would be a chain of single links. If a link is received that attaches onto other than the latest link, the system denies access and resets the verification process.
- Referring now to the figures, as shown in
FIG. 1 , acloud server 210 is communicatively coupled to at least one mobile application device 220-280 and further coupled to a physicalaccess controller apparatus 290 at some point in time but not necessary communicating at the time of the point of entry attempt. - As shown in
FIG. 2 , thecloud server 210 includes a non-transitory store ofinstructions 212; a non-transitory store of digital signatures, credentials, andidentities 214; a communication controller tomobile application devices 216; a communication channel to allphysical access controllers 218; and aprocessor 219. - Each mobile application device 220 (app device) includes a non-transitory store of
instructions 222; a non-transitory store of physical access requestmeta data 224; a wirelessportal channel transceiver 226; a wireless communication channel to thecloud server 228; and aprocessor 229. - A
physical access controller 290 apparatus (acc controller) includes a non-transitory store ofinstructions 292; a non-transitory store ofverification codes 294; a wireless portal beacon andreceiver 296; a communication channel to thecloud server 298; aprocessor 299, and an actual control output to control the access of a portal (e.g. the door) 291. - The method of operation of the cloud server is to distribute 310 a version controlled application (smart app) and indicia of credentials and authentication to the acc controller and the at least one app device. In an embodiment, a smart app could also be pre installed on the app device. In an embodiment, a smart app is installed over the air from another software distribution point of origin (e.g. Apple™'s App Store).
- Referring to
FIG. 3 , the method of operation at a cloud server includes: receiving a message causing initialization/update of one or more app devices 311; authenticating the message originates from a trustedsource 312; authenticating the device or apparatus to be served 313; verifying physical location of device or apparatus 314; authenticating the operator of thedevice 315; updating asystem authentication value 316; updating a list of authorizedportals 317; updating certificates anddigital signatures 318; and updating version ofinstructions 319. - The method of
operation 420 shown inFIG. 4 , of a mobile application device includes: formulating 422 a first physical access request (predecessor) in response to a first signal from a first suitable wireless transceiver associated with a portal controller; transmitting 424 the predecessor and storing meta data of its receipt and acceptance into a non-transitory store; formulating 426 a second physical access request (successor) by transforming the meta data of the most recent receipt and acceptance of said predecessor into a verification code; and transmitting 428 the successor and storing meta data of its receipt and acceptance into the non-transitory store. - The
method 420 further includes: transforming 423 a physical access request with a timestamp; and deleting 425 meta data records on the condition of failure in receipt or acceptance of any access request. - The
method 420 further includes: reading 427 the device system clock as an input to transforming the access request; and masking 429 the device system clock value to provide a range of time. - The method of 420 further includes: receiving 421 an updated set of versioned authentication credentials, instructions, and authorized access portals.
- Referring to
FIG. 5 , the method ofoperation 590 of a physical access controller apparatus includes: receiving 592 at least two physical access requests (access requests) in sequence from a mobile application device wherein said two access requests are a predecessor and a successor; writing 594 at least one verification code into non-transitory store; determining 596 when a verification code associated with a successor access request is acceptable; and enabling 598 a physical access portal actuator. - The
method 590 further includes determining 593 a verification code for the successor by operating on the data and meta data of the predecessor; and transforming 595 the data and meta data of the successor into a pair of chained verification codes. - The
method 590 further includes: determining 597 when a verification code presented by a successor access request is unacceptable; and blocking 599 an access request and initiating a policy at the cloud server. - The
method 590 further includes upon initiation, distributing anupdate version 591 of a smart app to at least one mobile application device and one access controller. - In another embodiment, the distinguishing aspect of the one time code is that it is “new” and not “reused”. In this version—the controller merely stores the last used one-time code. The next access must include this last used code (validated), and a new code (stored for next access).
- One aspect of the invention is a mobile application device (app device) for physical access that has: a wireless transceiver; a processor and a system clock; a non-transitory store configured with authentication certificates; a physical access application; and a non-transitory store for at least two one-time verification codes.
- In an embodiment, the app device also has a non-transitory store for a system authentication value (SAV), a credential, a user ID, and executable code for hashing and transacting requests; and a circuit to transform indicia into a physical access control request.
- In an embodiment the app device also has a circuit to synthesize a forward one-time verification code from a timestamp of its system clock.
- In an embodiment, the app device synthesizes a forward one-time verification code pseudo-randomly.
- In an embodiment the app device also has a circuit to synthesize a forward one-time verification code upon a successful physical access control request.
- Another aspect of the invention is a system that has: a plurality of mobile application devices (app devices); a physical access controller (access controller) communicatively coupled to said devices; and a cloud security service server; wherein said access controller includes a non-transitory store of sequential access codes associated with each user id and credentials verified by the cloud security service server; a transceiver to receive and acknowledge physical access requests; a circuit to operate a portal actuator; and a non-transitory store of security policies.
- In an embodiment, each access controller receives an updated one-time code for each app device from any other access controller. In an embodiment, each access controller recognizes only one-time codes derived from its own span of portals or individually for each portal.
- In an embodiment, the system also has: a circuit to verify a physical access request with a stored forward verification code.
- In an embodiment, the system also has: a circuit to perform a security policy on the condition the verification of a physical access request fails.
- In an embodiment, the system also has: a circuit to cause app devices and access controllers to advance a system authentication value.
- In an embodiment, the system also has: a circuit to extract and store a forward verification code from a last successful physical access request.
- In an embodiment, the system also has: a circuit to determine a forward verification code for a user upon last successful physical access request.
- Another aspect of the invention is a method for control of a physical access portal comprising the processes: at a controller, receiving a plurality of physical access requests (access requests) from a plurality of mobile application devices; at the controller, determining for each mobile application device (app device) a sequence of access requests comprising at least a first access request and a second access request; at the controller, upon authenticating the first access request (predecessor), writing into non-transitory storage a one-time verification code specific to an immediately subsequent second access request (successor) from the same app device; and at the controller, upon receiving a successor, performing an authentication process by matching the stored one-time verification code associated with the predecessor.
- In an embodiment, the method also has: on the condition the authentication process passes, writing a newer one-time verification code into non-transitory storage specific to yet another immediately subsequent successor.
- In an embodiment, the method also has: on the condition the authentication process fails, setting a flag of questionable chain of control associated with the app device.
- In an embodiment, each newer one-time verification code is synthesized by the app device and transmitted in both a predecessor and successor request.
- In an embodiment, each newer one-time verification code is a transformation of a timestamp read from the system clock of the app device.
- In an embodiment, each newer one-time verification code is synthesized as transformation of the predecessor and transmitted only in the successor.
- In an embodiment, each newer one-time verification code is a transformation of the result of authentication of the predecessor request.
- In an embodiment, a flag of questionable chain of control causes an access control policy to be performed at the portal actuator wherein, an access control policy includes at least one of an access denial to a request from a user, or a device; an iteration of system authentication value; a version update; a reauthentication process at a mobile application device; and transmission of a notification to an access control system administrator.
- In an embodiment, the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code read from non-transitory storage that was previously received as a component of the most recently successful access request.
- In an embodiment, the app device transmits a first forward verification code from the app device that is determined by a first approximate elapsed time from a first access request to a second access request measured at the app device and the portal controller compares the first forward verification code with a second forward verification code that is determined by a second approximate elapsed time from the first access request to the second access request measured at the portal controller.
- In another embodiment of the invention, the app device and the portal controller each determine a verification code for a second physical access request based on the masked timestamp of the first physical access request. The verification code for the second physical access request is only transmitted once. The masking supports a range of precision or offset between the clock of the app device and the portal controller.
- As is known, circuits disclosed above may be embodied by programmable logic, field programmable gate arrays, mask programmable gate arrays, standard cells, and computing devices limited by methods stored as instructions in non-transitory media.
- Generally a
computing devices 600 can be any workstation, desktop computer, laptop or notebook computer, server, portable computer, mobile telephone or other portable telecommunication device, media playing device, a gaming system, mobile computing device, or any other type and/or form of computing, telecommunications or media device that is capable of communicating on any type and form of network and that has sufficient processor power and memory capacity to perform the operations described herein. A computing device may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions, including, without limitation, any type and/or form of web browser, web-based client, client-server application, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on a computing device. -
FIG. 6 depicts block diagrams of acomputing device 600 useful for practicing an embodiment of the invention. As shown inFIG. 6 , eachcomputing device 600 includes acentral processing unit 621, and amain memory unit 622. Acomputing device 600 may include astorage device 628, aninstallation device 616, anetwork interface 618, an I/O controller 623, display devices 624 a-n, akeyboard 626, apointing device 627, such as a mouse or touchscreen, and one or more other I/O devices 630 a-n such as baseband processors, Bluetooth, GPS, and Wi-Fi radios. Thestorage device 628 may include, without limitation, an operating system and software. - The
central processing unit 621 is any logic circuitry that responds to and processes instructions fetched from themain memory unit 622. In many embodiments, thecentral processing unit 621 is provided by a microprocessor unit, such as: those manufactured under license from ARM; those manufactured under license from Qualcomm; those manufactured by Intel Corporation of Santa Clara, Calif.; those manufactured by International Business Machines of Armonk, N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale, Calif. Thecomputing device 600 may be based on any of these processors, or any other processor capable of operating as described herein. -
Main memory unit 622 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by themicroprocessor 621. Themain memory 622 may be based on any available memory chips capable of operating as described herein. - Furthermore, the
computing device 600 may include anetwork interface 618 to interface to a network through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1 , T3, 56 kb, X.25, SNA, DECNET), broadband connections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), wireless connections, or some combination of any or all of the above. Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, CDMA, GSM, WiMax and direct asynchronous connections). In one embodiment, thecomputing device 600 communicates withother computing devices 600 via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). Thenetwork interface 618 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing thecomputing device 600 to any type of network capable of communication and performing the operations described herein. - A
computing device 600 of the sort depicted inFIG. 6 typically operates under the control of operating systems, which control scheduling of tasks and access to system resources. Thecomputing device 600 can be running any operating system such as any of the versions of the MICROSOFT WINDOWS operating systems, the different releases of the Unix and Linux operating systems, any version of the MAC OS for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein. Typical operating systems include, but are not limited to: WINDOWS 10, manufactured by Microsoft Corporation of Redmond, Wash.; MAC OS and iOS, manufactured by Apple Inc., of Cupertino, Calif.; or any type and/or form of a Unix operating system. - In some embodiments, the
computing device 600 may have different processors, operating systems, and input devices consistent with the device. In other embodiments thecomputing device 600 is a mobile device, such as a JAVA-enabled cellular telephone or personal digital assistant (PDA). Thecomputing device 600 may be a mobile device such as those manufactured, by way of example and without limitation, Kyocera of Kyoto, Japan; Samsung Electronics Co., Ltd., of Seoul, Korea; or Alphabet of Mountain View Calif. In yet other embodiments, thecomputing device 600 is a smart phone, Pocket PC Phone, or other portable mobile device supporting Microsoft Windows Mobile Software. - In some embodiments, the
computing device 600 comprises a combination of devices, such as a mobile phone combined with a digital audio player or portable media player. In another of these embodiments, thecomputing device 600 is device in the iPhone smartphone line of devices, manufactured by Apple Inc., of Cupertino, Calif. In still another of these embodiments, thecomputing device 600 is a device executing the Android open source mobile phone platform distributed by the Open Handset Alliance; for example, thedevice 600 may be a device such as those provided by Samsung Electronics of Seoul, Korea, or HTC Headquarters of Taiwan, R.O.C. In other embodiments, thecomputing device 600 is a tablet device such as, for example and without limitation, the iPad line of devices, manufactured by Apple Inc.; the Galaxy line of devices, manufactured by Samsung; and the Kindle manufactured by Amazon, Inc. of Seattle, Wash. - As is known, circuits include gate arrays, programmable logic, and processors executing instructions stored in non-transitory media provide means for scheduling, cancelling, transmitting, editing, entering text and data, displaying and receiving selections among displayed indicia, and transforming stored files into displayable images and receiving from keyboards, touchpads, touchscreens, pointing devices, and keyboards, indications of acceptance, rejection, or selection.
- It should be understood that the systems described above may provide multiple ones of any or each of those components and these components may be provided on either a standalone machine or, in some embodiments, on multiple machines in a distributed system. The phrases in one embodiment’, in another embodiment’, and the like, generally mean the particular feature, structure, step, or characteristic following the phrase is included in at least one embodiment of the present disclosure and may be included in more than one embodiment of the present disclosure. However, such phrases do not necessarily refer to the same embodiment.
- The systems and methods described above may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof. The techniques described above may be implemented in one or more computer programs executing on a programmable computer including a processor, a storage medium readable by the processor (including, for example, volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Program code may be applied to input entered using the input device to perform the functions described and to generate output. The output may be provided to one or more output devices.
- Each computer program within the scope of the claims below may be implemented in any programming language, such as assembly language, machine language, a high-level procedural programming language, or an object-oriented programming language. The programming language may, for example, be PHP, PROLOG, PERL, C, C++, C#, JAVA, or any compiled or interpreted programming language.
- Each such computer program may be implemented in a computer program product tangibly embodied in a machine-readable storage device for execution by a computer processor. Method steps of the invention may be performed by a computer processor executing a program tangibly embodied on a computer-readable medium to perform functions of the invention by operating on input and generating output. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, the processor receives instructions and data from a read-only memory and/or a random access memory. Storage devices suitable for tangibly embodying computer program instructions include, for example, all forms of computer-readable devices, firmware, programmable logic, hardware (e.g., integrated circuit chip, electronic devices, a computer-readable non-volatile storage unit, non-volatile memory, such as semiconductor memory devices, including EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and nanostructured optical data stores. Any of the foregoing may be supplemented by, or incorporated in, specially-designed ASICs (application-specific integrated circuits) or FPGAs (Field-Programmable Gate Arrays). A computer can generally also receive programs and data from a storage medium such as an internal disk (not shown) or a removable disk. These elements will also be found in a conventional desktop or workstation computer as well as other computers suitable for executing computer programs implementing the methods described herein, which may be used in conjunction with any digital print engine or marking engine, display monitor, or other raster output device capable of producing color or gray scale pixels on paper, film, display screen, or other output medium. A computer may also receive programs and data from a second computer providing access to the programs via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc.
- The present invention is easily distinguished from conventional wireless apparatus physical access control systems by forward verification of one-time-use codes submitted by a mobile application device. The claimed invention forward verifies a single physical access control code upon each successful physical access request. The apparatus sets a flag that triggers an action when a one-time-use code is received out of sequence. The controller receives a plurality of physical access requests from a plurality of mobile application devices. The controller determines for each mobile application device a sequence of access requests comprising at least a first access request and a second access request. Upon authenticating the first access request, the controller writes into storage a forward verification code specific to an immediately subsequent second access request from the same app device. Upon receiving a successor, the controller performs an authentication process by matching the stored forward verification code associated with the predecessor.
- Unlike conventional systems, the authentication flows in only one direction. Unlike conventional systems, the invention does not depend on secret information passed back from each portal to the mobile app device. Unlike conventional rolling codes, the forward verification determines a new code based on a successful access request. Unlike conventional systems, a range of time is supported for forward verification.
- Having described certain embodiments of methods and systems for restricting physical access, it will now become apparent to one of skill in the art that other embodiments incorporating the concepts of the disclosure may be used. Therefore, the disclosure should not be limited to certain embodiments, but rather should be limited only by the spirit and scope of the following claims.
Claims (20)
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/390,507 US20180183835A1 (en) | 2016-12-25 | 2016-12-25 | Forward one-time-use physical access verification apparatus, system, and method of operation |
US16/172,809 US20190073843A1 (en) | 2016-12-25 | 2018-10-28 | Forward single origin physical access verification apparatus, system, and method of operation |
US16/458,044 US11777996B2 (en) | 2016-12-25 | 2019-06-29 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
US17/952,241 US20230012773A1 (en) | 2016-12-25 | 2022-09-24 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
US17/952,243 US20230019653A1 (en) | 2016-12-25 | 2022-09-24 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
US17/952,245 US20230177906A1 (en) | 2016-12-25 | 2022-09-24 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/390,507 US20180183835A1 (en) | 2016-12-25 | 2016-12-25 | Forward one-time-use physical access verification apparatus, system, and method of operation |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/172,809 Continuation-In-Part US20190073843A1 (en) | 2016-12-25 | 2018-10-28 | Forward single origin physical access verification apparatus, system, and method of operation |
US16/458,044 Continuation-In-Part US11777996B2 (en) | 2016-12-25 | 2019-06-29 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
Publications (1)
Publication Number | Publication Date |
---|---|
US20180183835A1 true US20180183835A1 (en) | 2018-06-28 |
Family
ID=62625100
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/390,507 Abandoned US20180183835A1 (en) | 2016-12-25 | 2016-12-25 | Forward one-time-use physical access verification apparatus, system, and method of operation |
US16/458,044 Active 2039-12-29 US11777996B2 (en) | 2016-12-25 | 2019-06-29 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/458,044 Active 2039-12-29 US11777996B2 (en) | 2016-12-25 | 2019-06-29 | Distributed one-time-use entry code generation for physical access control method of operation and mobile systems |
Country Status (1)
Country | Link |
---|---|
US (2) | US20180183835A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11228575B2 (en) * | 2019-07-26 | 2022-01-18 | International Business Machines Corporation | Enterprise workspaces |
US11821236B1 (en) | 2021-07-16 | 2023-11-21 | Apad Access, Inc. | Systems, methods, and devices for electronic dynamic lock assembly |
RU2828224C1 (en) * | 2019-10-31 | 2024-10-08 | Фабио ФОНТАНА | Device for therapy of painful inflammatory pathologies and for neuromuscular and neuropostural modulation |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112257104A (en) * | 2020-10-10 | 2021-01-22 | 北京字跳网络技术有限公司 | Authority control method and device and electronic equipment |
US11409865B1 (en) * | 2021-08-16 | 2022-08-09 | Cyberark Software Ltd. | Verification code injection at build time |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009089099A1 (en) * | 2008-01-04 | 2009-07-16 | M2 International Ltd. | Dynamic card verification value |
US8117648B2 (en) * | 2008-02-08 | 2012-02-14 | Intersections, Inc. | Secure information storage and delivery system and method |
US8582771B2 (en) * | 2008-09-10 | 2013-11-12 | Lg Electronics Inc. | Method for selectively encrypting control signal |
US8646047B2 (en) * | 2010-09-13 | 2014-02-04 | Nokia Corporation | Method and apparatus for authenticating access by a service |
US8646060B1 (en) * | 2013-07-30 | 2014-02-04 | Mourad Ben Ayed | Method for adaptive authentication using a mobile device |
US9125050B2 (en) * | 2013-09-26 | 2015-09-01 | Dell Products L.P. | Secure near field communication server information handling system lock |
-
2016
- 2016-12-25 US US15/390,507 patent/US20180183835A1/en not_active Abandoned
-
2019
- 2019-06-29 US US16/458,044 patent/US11777996B2/en active Active
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11228575B2 (en) * | 2019-07-26 | 2022-01-18 | International Business Machines Corporation | Enterprise workspaces |
RU2828224C1 (en) * | 2019-10-31 | 2024-10-08 | Фабио ФОНТАНА | Device for therapy of painful inflammatory pathologies and for neuromuscular and neuropostural modulation |
US11821236B1 (en) | 2021-07-16 | 2023-11-21 | Apad Access, Inc. | Systems, methods, and devices for electronic dynamic lock assembly |
Also Published As
Publication number | Publication date |
---|---|
US20190325673A1 (en) | 2019-10-24 |
US11777996B2 (en) | 2023-10-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11570160B2 (en) | Securely authorizing access to remote resources | |
US11265319B2 (en) | Method and system for associating a unique device identifier with a potential security threat | |
US9923902B2 (en) | Remote processsing of mobile applications | |
EP3278528B1 (en) | Accelerated passphrase verification | |
US20180287792A1 (en) | Method and system for protecting data keys in trusted computing | |
CN112019493A (en) | Identity authentication method, identity authentication device, computer device, and medium | |
EP3365830A1 (en) | Establishing trust between containers | |
US10812271B2 (en) | Privacy control using unique identifiers associated with sensitive data elements of a group | |
CN107528830B (en) | Account login method, system and storage medium | |
US20180183835A1 (en) | Forward one-time-use physical access verification apparatus, system, and method of operation | |
EP3662430B1 (en) | System and method for authenticating a transaction | |
US12015703B2 (en) | Electronic device for user authentication, server, and control method therefor | |
US9699656B2 (en) | Systems and methods of authenticating and controlling access over customer data | |
CN109743161B (en) | Information encryption method, electronic device and computer readable medium | |
US20220286294A1 (en) | Secure digital signing of a document | |
EP3206329A1 (en) | Security check method, device, terminal and server | |
US20140215220A1 (en) | Application distribution system and method | |
CN111199037A (en) | Login method, system and device | |
CN112769565B (en) | Method, device, computing equipment and medium for upgrading cryptographic algorithm | |
US20190073843A1 (en) | Forward single origin physical access verification apparatus, system, and method of operation | |
CN112767142B (en) | Processing method, device, computing equipment and medium for transaction file | |
US10461932B2 (en) | Method and system for digital signature-based adjustable one-time passwords | |
US11514442B2 (en) | Secure input using tokens | |
CN113439292B (en) | System and method for managing trusted applications in computer chip modules | |
WO2019062184A1 (en) | Bank insurance policy data interfacing method and insurance policy data server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BRIVO SYSTEMS LLC, MARYLAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BRYANT, STEVEN MARK;WHEELER, CHARLES;REEL/FRAME:043144/0197 Effective date: 20170731 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: CIBC BANK USA, ILLINOIS Free format text: SECURITY INTEREST;ASSIGNOR:BRIVO SYSTEMS LLC;REEL/FRAME:052608/0331 Effective date: 20200507 |
|
AS | Assignment |
Owner name: BRIVO SYSTEMS LLC, MARYLAND Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CIBC BANK USA;REEL/FRAME:061579/0013 Effective date: 20221020 |