[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2020082164A1 - Système et procédé d'inscription de certificat numérique, système de gestion de mot de passe de défi et procédé associé - Google Patents

Système et procédé d'inscription de certificat numérique, système de gestion de mot de passe de défi et procédé associé Download PDF

Info

Publication number
WO2020082164A1
WO2020082164A1 PCT/CA2019/051022 CA2019051022W WO2020082164A1 WO 2020082164 A1 WO2020082164 A1 WO 2020082164A1 CA 2019051022 W CA2019051022 W CA 2019051022W WO 2020082164 A1 WO2020082164 A1 WO 2020082164A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital
certificate
identity
request
network
Prior art date
Application number
PCT/CA2019/051022
Other languages
English (en)
Inventor
Jonathan Hong-Man Sau
Serguei Zintchenko
Original Assignee
Nymi Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nymi Inc. filed Critical Nymi Inc.
Publication of WO2020082164A1 publication Critical patent/WO2020082164A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present disclosure relates to digital certificate enrolment and management, and, in particular, to a digital certificate enrolment system and method, and challenge password management system and method therefor.
  • Digital certificates are commonly employed to securely identify an entity such as an end user or device, for instance to authenticate end users and encrypt/decrypt messages.
  • a user will request a certificate from a Certification Authority (CA), which will issue an encrypted digital certificate containing the applicant’s public key and a variety of other user identification information.
  • CA Certification Authority
  • PKIs Active Directory-integrated public key infrastructures
  • non-Active Directory-integrated PKI e.g. within the context of a standalone CA
  • certificate enrollment requests generally need to be authorized.
  • OTP one-time password
  • a digital certificate enrolment front-end process digitally executable by one or more digital data processors for enrolling a digital certificate for a network entity with a corresponding certification authority (CA), the process comprising: requesting a challenge password on behalf of the network entity; providing the network entity secure access to said challenge password; obtaining a signed certification request from the network entity encompassing said challenge password; issuing a certificate enrolment request encompassing said challenge password on behalf of the network entity so to invoke issuance of the digital user certificate from the CA; and relaying the digital certificate to the network entity.
  • CA certification authority
  • the process further comprises receiving a preliminary certification request generated by the network entity; said providing comprises appending said challenge password to said preliminary certification request to create a digital digest representative thereof, and securely forwarding said digital digest to the network entity; and said obtaining comprises obtaining a digital signature from the network entity upon processing thereby of said digital digest to construct said signed certification request.
  • the digital digest comprises a secure cryptographic hash.
  • requesting a challenge password comprises processing a pre- emptive request received via an authorized administrative interface to pre-emptively obtain and securely store said challenge password; and said providing comprises, upon initiation of a digital certificate enrolment process for the network device, providing the network device secure access to said challenge password to locally generate said signed certificate request encompassing said challenge password.
  • the challenge password comprises a one-time password (OTP).
  • OTP one-time password
  • the certificate enrolment request comprises a simple certificate enrolment protocol (SCEP) request.
  • SCEP simple certificate enrolment protocol
  • the certification request comprises a certificate signing request (CSR).
  • CSR certificate signing request
  • the digital certificate is to be associated with a designated entity, the process further comprising: digitally associating a digital identity of the designated entity with said challenge password; and only issuing said certificate enrolment request encompassing said challenge password upon verifying that a given entity identified by said signed certification request corresponds with said digital identity.
  • the designated entity comprises an end user and wherein said digital identity comprises a digital end user identity.
  • the designated entity comprises a network application instance and wherein said digital identity comprises a digital application instance identity.
  • the designated entity comprises a target resource
  • the digital certificate is to be used to digitally gain authorized access to the target resource
  • said digital identity comprises a digital target resource identity
  • the digital certificate is to be digitally associated with an authorized end user and a target resource to which the authorized end user is to be provided authenticated access using the digital certificate via the network device, the process further comprising: digitally associating a digital end user identity and a digital target resource identity corresponding with the authorized end user and the target resource, respectively, with said challenge password; and only issuing said certificate enrolment request encompassing said challenge password upon verifying that said signed certification request identifies said digital end user identity and said target resource identity.
  • the target resource comprises or is associated with an instance of a network application, and wherein said digital target resource identity comprises a digital network application instance identity.
  • the challenge password is requested from a registration authority (RA) having digital access to said certification authority and wherein said certificate enrolment request is issued to said RA.
  • RA registration authority
  • a non-transitory computer-readable medium comprising statements and instructions stored thereon to be executed by one or more processors to implement a certificate enrolment front-end process to enroll a digital certificate for a network entity with a corresponding certification authority (CA) by executing the process as defined above.
  • CA certification authority
  • a network device comprising a non- transitory computer-readable medium as defined above, or operable to execute the process as defined above.
  • a digital certificate enrolment system to enroll a digital certificate with a digital certification authority for a network entity, the system comprising; a digital certificate enrolment engine operable to interface with the digital certification authority and having a front-end interface operable to: request a challenge password on behalf of the network entity; provide the network entity secure access to said challenge password; obtain a signed certification request from the network entity encompassing said challenge password; issue a certificate enrolment request encompassing said challenge password on behalf of the network entity so to invoke issuance of the digital certificate from the certification authority; and relay the digital certificate to the network entity.
  • the front-end interface is further operable to, prior to requesting said challenge password, receive a preliminary certification request generated by the network entity, wherein said front-end interface is further operable to append said challenge password to said preliminary certification request to create a digital digest representative thereof, and securely forward said digital digest to the network entity to obtain a digital signature from the network entity upon processing thereby of said digital digest to construct said signed certification request.
  • the digital digest comprises a secure cryptographic hash.
  • the front-end interface further comprises secure network access to a server directory and a network administrator interface, and is further operable to process a pre- emptive request received via said network administrator interface to pre-emptively obtain and securely store said challenge password on said server directory; wherein, upon initiation of a digital certificate enrolment process for the network entity, said front-end interface provides the network entity authenticated access to said challenge password to locally generate said signed certificate request encompassing said challenge password.
  • system further comprises the digital certification authority, and wherein said digital certification authority comprises a standalone digital certification authority.
  • system further comprises an enterprise management device operating an enterprise management application having communicative access to the network entity and said front-end interface to intermediate certificate enrolment for the network device.
  • the challenge password comprises a one-time password (OTP).
  • OTP one-time password
  • the certificate enrolment request comprises a simple certificate enrolment protocol (SCEP) request.
  • SCEP simple certificate enrolment protocol
  • the certification request comprises a certificate signing request (CSR).
  • CSR certificate signing request
  • the digital certificate is to be associated with a designated entity, and wherein said front-end interface is further operable to: digitally associate a digital identity of the designated entity with said challenge password; and prior to issuing said certificate enrolment request, verify that said challenge password to be encompassed therein corresponds with said digital identity.
  • the designated entity comprises an end user of the network device and wherein said digital identity comprises a digital end user identity.
  • the designated entity comprises a network application instance and wherein said digital identity comprises a digital application instance identity.
  • the designated entity comprises a target resource
  • the digital certificate is to be used to digitally gain authorized access to the target resource using the network device
  • said digital identity comprises a digital target resource identity
  • the digital certificate is to be digitally associated with an authorized end user and a target resource to which the authorized end user is to be provided authenticated access using the digital certificate via the network device, said front-end interface being further operable to digitally associate a digital end user identity and digital target resource identity with said challenge password; and prior to issuing said certificate enrolment request, verifying that said challenge password to be encompassed therein corresponds with said digital end user identity and said digital target resource identity.
  • the target resource comprises or is associated with an instance of a network application, and wherein said digital target resource identity comprises a digital network application instance identity.
  • a digital certificate enrolment front- end process digitally executable by one or more digital data processors for enrolling a digital certificate with a corresponding certification authority (CA), wherein the digital certificate is to be associated with a designated entity, the process comprising: digitally associating a digital identity of the designated entity with a challenge password to be used for enrolling the digital certificate for the designated entity; obtaining a request for the digital certificate issued from a given network device and encompassing said challenge password, wherein said request identifies a given entity to be associated with the digital certificate and; verifying that said given entity identified by said request corresponds with said digital identity digitally associated with said challenge password; and upon said given entity corresponding with said digital entity, issuing a certificate enrolment request encompassing said challenge password on behalf of the given network device so to invoke issuance of the digital certificate for the designated entity from the CA to the given network device.
  • CA certification authority
  • the designated entity comprises at least one of an end user or a network application instance.
  • the designated entity comprises a target resource
  • the digital certificate is to be used to digitally gain authorized access to the target resource
  • said digital identity comprises a digital target resource identity
  • the digital certificate is to be digitally associated with an authorized end user and a target resource to which the authorized end user is to be provided authenticated access using the digital certificate via the given network device, and wherein digital identity comprises a digital authorized end user identity and digital target resource identity.
  • the target resource is operatively associated with a network application instance, and wherein said digital target resource identity comprises a digital network application instance identity.
  • a non-transitory computer-readable medium comprising statements and instructions stored thereon to be executed by one or more processors to implement a certificate enrolment policy enforcement process by executing the process as defined above.
  • FIGURE 1 is a component diagram for an environment in which embodiments of the disclosure may be practiced
  • FIGURE 2 is a diagram of an exemplary client computer that may be included in a system in accordance with at least one of the various embodiments;
  • FIGURE 3 is a diagram of an exemplary network computer that may be included in a system in accordance with at least one of the various embodiments;
  • FIGURE 4A and FIGURE 4B are schematic physical and logical diagrams, respectively, of a wearable user authentication / access authorization device, in accordance with at least one of the various embodiments;
  • FIGURE 5A is a logical schematic diagram of a biometric device showing sensors for fingerprint scanning and electrocardiogram signal capturing in accordance with at least one of the various embodiments;
  • FIGURE 5B is a logical schematic diagram of a biometric device showing another arrangement of sensors for fingerprint scanning and electrocardiogram signal capturing in accordance with at least one of the various embodiments;
  • FIGURE 5C is a logical schematic diagram of a biometric device showing a top view of the embodiment of Figure 5B for fingerprint scanning and electrocardiogram signal capturing;
  • FIGURE 6 is a high level system diagram illustrating interactions between various user authentication devices (UAD) and a customer client machine operating an enterprise management application for managing user presence authentication and/or access authorizations to various customer resources based, at least in part, on digital certificates issued by an external certification authority via enterprise network device enrolment and front-end enrolment services, in accordance with one embodiment;
  • UAD user authentication devices
  • enterprise management application for managing user presence authentication and/or access authorizations to various customer resources based, at least in part, on digital certificates issued by an external certification authority via enterprise network device enrolment and front-end enrolment services, in accordance with one embodiment
  • Figure 7 is a diagram of communication sequences between various components of the system illustrated in Figure 6 to implement digital certificate enrolment, in accordance with one embodiment
  • Figure 8 is a diagram of communication sequences between various components of the system illustrated in Figure 6 to implement digital certificate enrolment, in accordance with one embodiment
  • Figure 9 is a diagram of illustrative communication sequences for different processes involved in the implementation of one-time password requests and enforcement policies for digital certificate enrolment, in accordance with one embodiment.
  • elements may be described as“configured to” perform one or more functions or“configured for” such functions.
  • an element that is configured to perform or configured for performing a function is enabled to perform the function, or is suitable for performing the function, or is adapted to perform the function, or is operable to perform the function, or is otherwise capable of performing the function.
  • language of“at least one of X, Y, and Z” and“one or more of X, Y and Z” may be construed as X only, Y only, Z only, or any combination of two or more items X, Y, and Z (e.g., XYZ, XY, YZ, ZZ, and the like). Similar logic may be applied for two or more items in any occurrence of“at least one ...” and“one or more...” language.
  • the term“or” is an inclusive“or” operator, and is equivalent to the term“and/or,” unless the context clearly dictates otherwise.
  • the term“based on” is not exclusive and allows for being based on additional factors not described, unless the context clearly dictates otherwise.
  • the meaning of "a,” “an,” and “the” include plural references.
  • the meaning of “in” includes “in” and “on.”
  • physiological signal as used herein are understood to mean any signal that can be obtained via a sensor or device when operatively interfacing with a user to confirm a live user presence.
  • physiological signals are heart rate, galvanic skin response, temperature, electrocardiogram (ECG), photoplethysmogram (PPG), electromyogram, electroencephalogram, transient otoacoustic emissions, phonocardiogram, perspiration, or a combination thereof.
  • ECG electrocardiogram
  • PPG photoplethysmogram
  • electromyogram electroencephalogram
  • transient otoacoustic emissions phonocardiogram
  • perspiration or a combination thereof.
  • a live user presence can also be confirmed using any combination of the above or other physiological parameters, as can other physiological signals and/or sensors be considered alone or in combination to produce this result.
  • biometric means any signal that can be obtained from a user that can uniquely identify the user, including, but not limited to, one or more unique physiological signals or signatures that can be processed to uniquely identifier the user.
  • biometric signals are gait, heart rate, galvanic skin response, temperature, fingerprint, voice or voiceprint, body electrical characteristic, body thermal characteristic, iris pattern, vein pattern, eye vein pattern, facial or other anatomical structure, electrocardiogram (ECG), photoplethysmogram (PPG), electromyogram, electroencephalogram, transient otoacoustic emissions, phonocardiogram, DNA, one or more chemical markers, one or more biochemical markers, skin-color variation or discolouration, perspiration, or a combination thereof.
  • ECG electrocardiogram
  • PPG photoplethysmogram
  • electromyogram electroencephalogram
  • transient otoacoustic emissions phonocardiogram
  • DNA one or more chemical markers
  • biochemical markers skin-color variation or discolouration, perspiration, or a combination thereof.
  • a unique identity of a user can also be obtained by observing patterns or combinations of one or more biometric characteristic. For example a person may have a unique heart rate at a particular temperature and with a
  • biometric observations can be combined or fused to obtain a multi-modal unique biometric profile. This is especially useful in situations wherein one particular biometric is not sufficient as a standalone identifier.
  • perspiration and gait can be combined or fused to provide a unique biometric profile for a user.
  • Information from sources that are standalone identifiers can also be combined in order to increase accuracy and/or security.
  • a multi-modal biometric system may fuse fingerprints with iris and face characteristics.
  • access point and“resource” are used interchangeably herein refers to any logical or physical gateway, device, or application that requires authentication, such as for security or personalization purposes, and is otherwise locked or inaccessible to the user.
  • physical access points are electronically locked doors, parking transceivers, smart environment technologies, vehicle doors and transit systems.
  • logical access points are password, PIN, passcode or otherwise digitally protected electronic devices (e.g. smartphone, desktop computer, laptop, tablet, workstation, onboard vehicular device, etc.) or accounts, proof of payment systems, point of sale stations, automated bank teller machines, library checkout systems, and hotel and airport check-in stations.
  • access points may be considered a generic term for applications, computers, terminals, devices, or the like, that are enabled to communicate using the protocols described herein.
  • a wireless access point may be operatively associated with a network application to identify, monitor or track an authenticated user presence without necessarily invoking a further action in response to such recognized user presence.
  • user presence authentication may not be limited to such applications, but may also include embodiments where a user’s authenticated presence is recognized, monitored and/or tracked for other purposes, such as for advertising, analyzing user traffic an/or usage of designated physical spaces, law enforcement, etc.
  • access point and “resource” will be used interchangeably herein to refer not only to the computational device or application (e.g. physical hardware, firmware and/or software application) being accessed and operated to implement or provide for user presence authentication and/or access authorizations, but also any one or more resources that are operatively associated therewith, whereby a resources may include, but is not limited to: a physical space, room, zone or area contained or otherwise restricted by an electronically controlled gateway, door, gate or entryway; physical or computational workstation, device, equipment and/or tool for manufacturing, testing, verification, simulation, development, research, experimentation, development, assembly, etc.; physical or digital library, directory, repository and/or other classified or restricted information repository; and/or the like.
  • a resources may include, but is not limited to: a physical space, room, zone or area contained or otherwise restricted by an electronically controlled gateway, door, gate or entryway; physical or computational workstation, device, equipment and/or tool for manufacturing, testing, verification, simulation, development, research, experimentation, development, assembly, etc.; physical
  • the term“access control signal” as used herein refers to the signal sent by an access control device to a physical or logical access point that may enable the user to unlock or access the access point.
  • the control signal may be a binary encoded sequence or user identifier transmitted wired or wirelessly using but not limited to Bluetooth, near field communication, ultra-wide band, RFID, or Wi-Fi.
  • the control signal is generally a non-biometric signal, however it can also be a biometric signal if the access control at the access point requires it depending on the application and/or context at hand.
  • finger refers to any digit attached to a hand or foot, including a thumb or a toe.
  • encryption as used herein is understood to refer to actions that change (information) from one form to another especially to hide its meaning.
  • encryption as used herein may include employing pseudorandom transformations that produce pseudorandom outputs in the sense that a cipher text may be distinguishable from a completely random sequence of bits of the same length without revealing anything about the plaintext. For example, consider adding one or more zeros at the end of every encryption output.
  • encryption may include applying pseudo-random function information, where the key of the pseudorandom function may be stored locally on a mobile device.
  • authorized authentication device and“user authentication device” as used herein refer to devices and/or access points that may be arranged to include specialized applications for enrolling/registering a mobile device with a user.
  • Authorized authentication devices may be arranged to store keys, encrypted biometric user profiles, or the like.
  • implementation of at least some of the AAD functionality may be incorporated and/or otherwise embedded within the functions of a portable device, such as embedded within a wearable authentication/user access authorization device or the like, and/or distributed between such portable/wearable devices and/or one or more network-accessible servers, client computers, access points or the like.
  • a user authentication device or“UAD” is defined as a portable or wearable device operable to execute onboard user authentication procedures to thereby activate the UAD to broadcast or otherwise communicate or distribute an authenticated user status or identity for implementing/processing authenticated user presence or access privileges with one or more access points/resources.
  • various embodiments are directed towards communicating using a mobile device, such as a mobile or wearable user authentication and user presence and/or access authorization device in a secured environment.
  • a mobile device such as a mobile or wearable user authentication and user presence and/or access authorization device in a secured environment.
  • Co-pending Canadian Patent Application No. 2,992,333 for a User Access Authorization System and Method, and Physiological User Sensor and Authentication Device Therefor, and U.S. Patent No. 9,197,414 for a Cryptographic Protocol for Portable Devices provide illustrative environments and contexts for implementation of the herein described embodiments.
  • an enrolment front-end service e.g. server, application, engine, etc., generically and interchangeably referenced herein as a front-end interface, engine and/or process
  • an external certification authority e.g.
  • non-Active Directory-integrated public key infrastructure non AD- integrated PKI
  • standalone CA operable to manage, intermediate and/or otherwise facilitate certificate enrolment and/or policy enforcement/enhancement for various customer end users/entities (e.g. users, applications, etc.), such as, during enterprise setup for a particular client system, device or user, and/or for the purposes of certificate renewals, revocations, re- initializations, etc.
  • an external enterprise security services system is implemented for the purposes of providing customer security services in which multiple user authentication devices can be used to routinely authenticate authorized end users and manage user access privileges accordingly.
  • a set of end users are provided with a corresponding set of portable (wearable) user authentication devices (UAD) 602 to be used to authenticate each end user (e.g. via PIN, password, onboard biometric authentication, etc.) for the purposes of communicating an authenticated user identity, for example, in authenticating a user presence and, in some further examples, gaining user access to one or more customer resources 604 accordingly.
  • UAD portable (wearable) user authentication devices
  • UAD portable (wearable) user authentication devices
  • Various measures to ensure secure user authentication, live user presence, prevent fraud, collusion or the like are illustratively described below, as are other complementary/alternative means for securely authenticating the user via onboard and/or communicatively accessible authentication and status broadcast resources.
  • a UAD may be used to securely authenticate the user, for example, to gain authenticated access to certain authorized resources 604 whose access is at least in part operatively controlled by a security-enabled (network) application 605 operating locally or distributively to communicate with nearby UADs 602 via a related access point or like communication path.
  • a security-enabled (network) application 605 operating locally or distributively to communicate with nearby UADs 602 via a related access point or like communication path.
  • a given UAD 602 may be logically linked to a particular user to perform onboard user authentication to activate the UAD 602 and thus actively or selectively broadcast a user-authenticated status or authenticated user identity.
  • an actively authenticated or pre-authorized UAD may transact with one or more instances of a security enabled (network) application 605 that can be operated to recognize, monitor and/or track an authenticated user presence, for example, to grant authenticated user access to one or more corresponding resources 604 operatively associated therewith.
  • the network application 605 may be operated to securely identify the authenticated user (e.g. using one or more (mutual) user/device/application authentication procedures) in providing authenticated access to the corresponding resource if so authorized.
  • the following examples will relate to a system for granting authenticated user access privileges to authenticated users based on successful user identification, authentication and communications relating thereto between a given UAD and network application (instance).
  • each end user may be attributed one or more customer access privileges (e.g. to Resource X, Y and/or Z) to be implemented via their respective UAD 602.
  • customer access privileges e.g. to Resource X, Y and/or Z
  • respective digital certificates may be issued to accommodate such diversified access privileges; namely User A may seek to enrol a user-specific certificate to access Resource X (e.g.
  • certificate(A,X) 620) User B may seek to enrol respective user-specific certificates to respectively access each of Resources Y and Z (but not X), and User C may seek to enrol respective user-specific certificates for each resource along with possibly a higher level authorization certificate to access the enterprise management application 606.
  • Each certificate can then be used to successfully negotiate access to its corresponding resource via the resource’s respective SEA instances 605 (or EMA 606). While this illustrative example contemplates user and target resource-specific certificates, similar considerations may apply to the enrolment of certificates to be associated with different entities, be they end users, network devices, applications and/or instances thereof, associated resources, or the like.
  • end user certificate enrolment is implemented via an external (standalone) CA 616, for example, to reduce customer impact and touch points in outsourcing managements of such security resources (which external CA can be used to provide certificate enrolment, and other security management services, to various customers interfacing therewith).
  • an enterprise management application 606 operates on a customer/client machine (e.g. local network infrastructure) 608 that interfaces with an enterprise server 610 operated by the external security services provider to process certificate enrolment requests, optionally among other UAD enterprise setup procedures.
  • a front-end certificate enrolment service illustrated herein as a front-end Web enrolment service (WES) 612, is illustratively implemented by the enterprise server 610.
  • WES Web enrolment service
  • the WES is provided in this example to interface with the enterprise server’s network device enrolment service 614 (and downstream enterprise certification authority (CA) 616) and optional enterprise server directory 618, on the one side, and the customer-operated enterprise management application 606 on the other in circumventing user actions typically required to implement OTP verifications for certificate enrolment authorization.
  • an enterprise server administrator can initiate certain preparatory transactions to be later engaged by enterprise management application 606 with the enterprise server 610, for instance to invoke, via an authorized administrative interface, an automated OPT distribution before a certificate enrolment procedure is initiated for a given LAD 602, whereas in other embodiments, certificate enrolment procedures may be initiated for a given UAD 602 without pre-emptive action from such administrator.
  • optional automated OTP policy enhancements may also be automatically invoked and implemented by the front-end enrolment service, as will be described in further detail below, for example, to enhance security provisions associated with such enrolments.
  • certificate enrolment is initiated at step 702 upon initiating UAD enterprise setup and user authentication via the enterprise management application (EMA).
  • EMA enterprise management application
  • the UAD and EMA will proceed through mutual authentication at step 704, followed by the EMA generating a certificate signing request (CSR) at step 706.
  • CSR certificate signing request
  • the UAD will locally generate a key pair at step 708 and send the CSR without OTP at step 710 to the EMA.
  • the EMA and the enterprise server’s enrolment Web service will establish a TLS connection with server authentication at 712, establish client authentication using the user’s authentication device credentials at 714 and forward the CSR without OTP at 716.
  • the EWS will internally enforce applicable security policies (e.g. subjects in CSR and www client authentication must match) at 718, and, upon successful enforcement, request a OTP from the network device enrolment service (NDES) at 720 on behalf of the user.
  • NDES network device enrolment service
  • the OTP will be returned to the EWS at 722, which will append the OTP to the CSR and calculate a hash accordingly at 724.
  • the EWS will request from the EMA that the CSR hash be signed, which request will be forwarded to the ETAD at 728.
  • the CSR signature will be returned to the EMA at 730, which will be forwarded thereby at 732 to the EWS, which will itself at 734 construct the CSR and Simple Certificate Enrolment Protocol (SCEP) request to ultimately forward the SCEP request to the NDES at 736.
  • the certificate request will finally be relayed to the enterprise certification authority (CA) at 738, which will return a user certificate at 740 to the NDES, which will itself forward the user certificate to the EWS at 742, to be forwarded at 744 to the EMA, and finally forwarded thereby to the UAD at 746 which stores the user certificate at 748.
  • Enterprise setup can be pursued thereafter, and the user certificate employed as needed in subsequent user authentication/authorization procedures.
  • the front-end enrolment service authenticates the end entity (e.g. a user, an application) using existing credentials (e.g. UAD user / machine credentials). It then requests an OTP on behalf of the entity. It adds the OTP to the CSR and provides a digest of the updated CSR to the entity for re-signing. The OTP is never exposed to the end entity and the private key associated with the certificate is never exposed outside of the end entity.
  • the end entity e.g. a user, an application
  • existing credentials e.g. UAD user / machine credentials
  • a user certificate enrolment procedure in this example pre-emptively prepared by an enterprise administrator to enable automated OTP distribution, will now be described.
  • the administrator will first request at 850, a OTP for a given user or users from the EWS.
  • the OTP request is forwarded by the EWS to the NDES, which returns the requested OTP at 854.
  • the OTP is then stored in an enterprise directory at 856, which completes the pre-emptive OTP administration procedure at 858.
  • user certificate enrolment is then initiated at step 802 upon initiating UAD enterprise setup and user authentication via the enterprise management application (EMA).
  • the UAD and EMA will again proceed through mutual authentication at step 804 (e.g. establish secure authenticated access, for example, via Active Directory (AD)), followed by the EMA requesting the OTP corresponding to this particular user at 860 from the enterprise directory.
  • the OTP is returned by the directory to the EMA at 862.
  • the EMA will generate a certificate signing request (CSR) at step 806 to the UAD, which will locally generate a key pair at step 808 and send the CSR, this time with OTP, at step 810.
  • CSR certificate signing request
  • the EMA and the enterprise server’s enrolment Web service will establish a TLS connection with server authentication at 812, establish client authentication using the user’s authentication device credentials at 814 and forward the CSR with OTP at 816.
  • the EWS will internally enforce applicable security policies (e.g. subjects in CSR and www client authentication must match) at 818 and 819, and, upon successful enforcement, construct the simple certificate enrolment protocol (SCEP) request at 834 to ultimately forward the SCEP request (CSR with OTP) to the NDES at 836.
  • applicable security policies e.g. subjects in CSR and www client authentication must match
  • the certificate request will finally be relayed to the enterprise certification authority (CA) at 838, which will return a user certificate at 840 to the NDES, which will itself forward the user certificate to the EWS at 842 in the form of a SCEP response, to be forwarded at 844 to the EMA in the form of a user certificate enrolment response, and finally forwarded thereby to the UAD at 846 which stores the user certificate at 848.
  • CA enterprise certification authority
  • the OTP can then be deleted from the directory at 864 and confirmed thereby at 866. Enterprise setup can be pursued thereafter, and the user certificate employed as needed in subsequent user authentication/authorization procedures.
  • the front-end enrollment service provides an interface for an administrative user to request OTPs on behalf of specific end-entities (users / machines).
  • the OTPs are stored in a back-end database (e.g. enterprise directory).
  • the end entity authenticates with the enrollment service and submits a certificate request
  • the OTP is retrieved from the database and provided to the enrollment service.
  • Enrollment service includes the OTP and asks the end-entity to re-sign the CSR as in the previous option.
  • the ability to satisfy the need for authenticating / authorizing certificate enrollment is provided without the need for user intervention for distributing / entering OTP.
  • the OTP value is never exposed to the end user / end entity hence reducing the opportunity for abusing OTP.
  • the EWS may be operated to enforce certain OTP policies when processing a particular certificate request.
  • OTP policy implementation and enforcement may be considered within the exemplary embodiments of Figures 7 and 8, such policy implementation and enforcement considerations may also, or alternatively be considered independently within the context of other certificate enrolment procedures.
  • certificate enrollment protocols like PKCS10 and SCEP generally make use of a challenge Password for authorizing certificate enrollment.
  • a given registration authority may enforce certain policies on the challenge Password, e.g. the challenge Password may be for one-time use only (e.g. OTP), and may expire after a certain period of time.
  • OTP one-time use only
  • the policy enforced by the RA may not be adequate for the security requirements of the system in question, for example when the registration authority is based on a commercial off the shelf product.
  • a certificate enrolment challenge password (e.g. OTP) policy augmentation method and system may be implemented to enhance security considerations surrounding certificate enrolment and related OTPs issued therefor.
  • a certificate enrolment service 912 e.g. a RA front-end or the EWS of Figures 6, 7 or 8
  • a registration authority 914 e.g. network device enrolment service of Figures 6, 7 or 8
  • CA target certification authority
  • policy augmentations may include, but are not limited to, restricting successful OTP processing to a target end user (e.g. end user A, B or C in Figure 6) and/or subject (e.g. resource X, Y or Z in Figure 6) for which a related digital certificate is to be issued and subsequently used for user identification, authentication and/or access authorization procedures.
  • target end user e.g. end user A, B or C in Figure 6
  • subject e.g. resource X, Y or Z in Figure 6
  • other target or designated entity types may be considered herein without departing from the general scope and nature of the present disclosure, such as different end users, devices, applications or the like and that, in various combinations as may be relevant or applicable to the application and environment at hand.
  • a OTP request sequence (shown in solid lines), an unauthorized certificate request sequence based on the issued OTP and applied policy augmentations (shown in dash-dot lines), and an authorized certificate request sequence based on the issued OTP and applied policy augmentations (shown in dotted lines).
  • User A requests a OTP for Subject (e.g. Resource) X from the enrolment service 912.
  • Subject X may be represented by a target network-enabled resource identity to which the end user wishes to gain authenticated user access, thus the end user being the source of the enrolment request whereas the target resource is the subject.
  • the enrolment service 912 at 1004 requests the OTP from the RA 914 and receives the OTP therefrom at 1006.
  • the enrolment service 912 then, at 1008, stores the OTP, along with certain policy augmentations that may be applied thereto beyond the standard one-time use and possible lifetime policies; in this case, policies are augmented to both identify the intended user for whom the OTP has been issued and the intended subject for which it was issued. For example, these policies may be stored together with a hash of the OTP (e.g. annotated as OTR(A,C)).
  • OTR(A,C) e.g. annotated as OTR(A,C)
  • a user within this context may include, but is not limited to, an authorized end user for whom authenticated user access may be authorized for certain system resources, which resources may be the subject of the digital certificate being requested.
  • resources may include different forms of physical, logical, computational and/or like resources within a given environment for which particular user access restrictions and/or authorizations may be required and applied in accordance with different user/management preferences, profiles and/or criteria.
  • a OTP request subject may thus define the particular access resource selected for this user, whereby distinct certificate enrolment requests, and related OTP processes, may be applied for each given user and for each resource to which each such given user is to be provided authenticated authorized user access.
  • the embodiments herein described are not to be limited to such examples, whereby a particular user defined for a particular OTP request and subsequent certificate may rather, or additionally include a client application, device or the like, whereas a particular subject may include different resources, applications, devices or the like as may be applicable within the particular context at hand.
  • the enrolment service 912 when a Request for certificate enrolment is received from User A for Subject X at 1012, the enrolment service 912 will generally authenticate User A, extract the OTP and enforce the policies at 1014 before the certificate request can be authorized to proceed. In this case, provided that this is the first time the OTP is used and the request is made within the lifetime of the OTP, since the authenticated request came from User A and is for Subject X, the request is authorized by the enrolment service 912 and proceeds at 1016 to the RA 914 and ultimately at 1018 with the CA 916 to return the requested certificate (e.g. Cert(A,X)) to User A at 1020 for Subject X.
  • the requested certificate e.g. Cert(A,X)
  • the enrolment service 912 will automatically identify a mismatch at 1024 between the originating user defined by the augmented OTP policies, and reject the certificate request at 1026.
  • a similar scenario may be applied where User A wrongly uses the issued OTP for an unauthorized subject (e.g. Subject Y).
  • this OTP may be automatically discarded or marked as expired so to avoid further misuse, requiring that User A again request a new OTP for Subject X and try again, as appropriate.
  • OTP policy augmentation procedures described herein may be applied to different embodiments where a RA front-end is deployed to apply and enforce OTP policy augmentations, as can they be applied within the context of the systems and procedures described above with respect of Figures 6 to 8.
  • an enrolment front-end service such as described above, may be implemented to interface with a registration authority, such as an off the shelf network device enrolment service, to not only mitigate OTP processing inconveniences, but also, or alternatively, to implement OTP policy augmentations to increase certificate enrolment security.
  • a registration authority such as an off the shelf network device enrolment service
  • certificate enrolment and OTP provisions described herein may be implemented at various stages or in different contexts depending on the application at hand.
  • certificate enrolment may be required or otherwise implemented when a new entity is to be registered/setup with the system.
  • a user certificate may be created when a new user enrols a new authentication device within the context of the portable user authentication device described below.
  • an application certificate may be generated every time a new application (e.g. a new instance of enterprise management application 606, or security-enabled application 605 of Figure 6) seeks to register itself with the system (e.g. enterprise server 610), for example.
  • a new user or application certificate may be required where a previous certificate expires (e.g. in time- limited certificate enrolments) and/or when a previous certificate is revoked (e.g. within the context of a security breach, certificate abuse or misuse, etc.), provided previously certified entities are still valid and a system administrator confirms that they are to remain enrolled within the system).
  • FIGURE 1 shows components, in accordance with one illustrative embodiment, of an environment in which embodiments of the invention may be practiced. Not all of the components may be required to practice different embodiments of the invention, and variations in the arrangement and type of the components may be made without departing from the general spirit or scope of the present disclosure.
  • system 100 of FIGURE 1 includes local area networks (LANs)/ wide area networks (WANs) - (network) 110, wireless network 108, client computers 102-105, authentication / access authorization device 106 (generally referred to herein as authentication device 106, which may include, but is not limited to, a mobile, wireless, portable, wearable device and/or the like, for example), authentication / access authorization server computer 116 (generally referred to herein as authentication server 116), or the like.
  • LANs local area networks
  • WANs wide area networks
  • network 110 wireless network 108
  • client computers 102-105 client computers 102-105
  • authentication / access authorization device 106 generally referred to herein as authentication device 106, which may include, but is not limited to, a mobile, wireless, portable, wearable device and/or the like, for example
  • authentication server computer 116 generally referred to herein as authentication server 116
  • client computers 102-105 may operate over one or more wired and/or wireless networks, such as networks 108, and/or 110.
  • client computers 102-105 may include virtually any computer capable of communicating over a network to send and receive information, perform various online activities, offline actions, or the like.
  • one or more of client computers 102- 105 may be configured to operate within a business or other entity to perform a variety of services for the business or other entity.
  • client computers 102-105 may be configured to operate as a server, client application, media player, mobile telephone, game console, desktop computer, access point, or the like.
  • client computers 102-105 are not constrained to these services and may also be employed, for example, as for end-user computing in other embodiments. It should be recognized that more or less client computers (as shown in FIGURE 1) may be included within a system such as described herein, and embodiments are therefore not constrained by the number or type of client computers employed.
  • Computers that may operate as client computer 102 may include computers that typically connect using a wired or wireless communications medium such as personal computers, multiprocessor systems, microprocessor-based or programmable electronic devices, network PCs, or the like.
  • client computers 102-105 may include virtually any portable computer capable of connecting to another computer and receiving information such as, laptop computer 103, mobile computer 104, tablet computers 105, or the like.
  • portable computers are not so limited and may also include other portable computers such as cellular telephones, display pagers, radio frequency (RF) devices, infrared (IR) devices, Personal Digital Assistants (PDAs), handheld computers, wearable computers, integrated devices combining one or more of the preceding computers, or the like.
  • client computers 102-105 typically range widely in terms of capabilities and features.
  • client computers 102-105 may access various computing applications, including a browser, or other web-based application.
  • a web-enabled client computer may include a browser application that is configured to receive and to send web pages, web-based messages, and the like.
  • the browser application may be configured to receive and display graphics, text, multimedia, and the like, employing virtually any web-based language, including a wireless application protocol messages (WAP), and the like.
  • WAP wireless application protocol
  • the browser application is enabled to employ Handheld Device Markup Language (HDML), Wireless Markup Language (WML), WMLScript, JavaScript, Standard Generalized Markup Language (SGML), HyperText Markup Language (HTML), extensible Markup Language (XML), JavaScript Object Notation (JSON), or the like, to display and send a message.
  • a user of the client computer may employ the browser application to perform various activities over a network (online). However, another application may also be used to perform various online activities.
  • Client computers 102-105 are described in more detail below in conjunction with FIGURE 2. Briefly, however, Client computers 102-105 also may include at least one other client application that is configured to receive and/or send content between another computer.
  • the client application may include a capability to send and/or receive content, or the like.
  • the client application may further provide information that identifies itself, including a type, capability, name, and the like.
  • client computers 102-105 may uniquely identify themselves through any of a variety of mechanisms, including an Internet Protocol (IP) address, a phone number, Mobile Identification Number (MIN), an electronic serial number (ESN), or other device identifier.
  • IP Internet Protocol
  • MIN Mobile Identification Number
  • ESN electronic serial number
  • Such information may be provided in a network packet, or the like, sent between other client computers, server computer 116, device 106, or other computers.
  • Client computers 102-105 may further be configured to include a client application that enables an end-user to log into an end-user account that may be managed by another computer, such as server computer 116, or the like.
  • client application that enables an end-user to log into an end-user account that may be managed by another computer, such as server computer 116, or the like.
  • Such an end-user account in one non-limiting example, may be configured to enable the end-user to manage one or more online activities, including in one non-limiting example, project management, system administration, configuration management, search activities, social networking activities, browse various websites, communicate with other users, or the like.
  • device 106 can be any device that can be worn or otherwise carried by a user and is capable of obtaining authentication data to invoke an authentication process, in this illustrated example, via server 116.
  • authentication data may include manually entered data and/or biometric data acquired or otherwise input by the user to seek authentication and, in some implementations, certain access authorizations.
  • device 106 will further include one or more physiological sensors and/or proximity detection mechanisms to provide secondary authentication and/or authorization measures to gain and/or maintain authentication/authorization in use.
  • Non-limiting examples of suitable wearable authentication devices may include, but are not limited to, a wristband, wristwatch, bracelet, necklace, ring, belt, glasses, clothing, hat, anklet, headband, chest harness, patch, skin probe or earring(s), to name a few, or any other wearable item that is capable of obtaining a biometric signal.
  • the device 106 can also be incorporated into clothing.
  • the device 106 may comprise more than one biometric and/or physiological sensors, to be used alone and/or in combination, to carry out user authentication and/or liver user presence confirmation.
  • Device 106 may be arranged to communicate with one or more of client computer 102-105 over a network, such as wireless network 108. Further, device 106 may be arranged to communicate with access points, enabling user access to secure locations and secured electronic devices as well as customization of a user experience.
  • client computers 102-105 may be interchangeably applied to the functions and features of the herein described embodiments of portable device 106.
  • client computers are distinctly illustrated herein in one particular embodiment, some embodiments may further or alternatively contemplate portable and/or wearable client computers, as can other embodiments be considered to implement the features and functions of there herein described embodiments.
  • Wireless network 108 is configured to couple client computers 102-105 and/or authentication device 106 with network 110.
  • Wireless network 108 may include any of a variety of wireless sub-networks that may further overlay stand-alone ad-hoc networks, and the like, to provide an infrastructure-oriented connection for client computers 102-105 and/or authentication device 106.
  • Such sub-networks may include mesh networks, Bluetooth, Wireless LAN (WLAN) networks, cellular networks, and the like.
  • the system may include more than one wireless network.
  • Wireless network 108 may further include an autonomous system of terminals, gateways, routers, and the like connected by wireless radio links, and the like. These connectors may be configured to move freely and randomly and organize themselves arbitrarily, such that the topology of wireless network 108 may change rapidly.
  • Wireless network 108 may further employ a plurality of access technologies including 2nd (2G), 3rd (3G), 4th (4G) 5th (5G) generation radio access for cellular systems, WLAN, Bluetooth, Wireless Router (WR) mesh, and the like.
  • Access technologies such as 2G, 3G, 4G, 5G, and future access networks may enable wide area coverage for mobile computers, such as client computers 102-105, and authentication device 106 with various degrees of mobility.
  • wireless network 108 may enable a radio connection through a radio network access such as Global System for Mobil communication (GSM), General Packet Radio Services (GPRS), Enhanced Data GSM Environment (EDGE), code division multiple access (CDMA), time division multiple access (TDMA), Wideband Code Division Multiple Access (WCDMA), High Speed Downlink Packet Access (HSDPA), Long Term Evolution (LTE), and the like.
  • GSM Global System for Mobil communication
  • GPRS General Packet Radio Services
  • EDGE Enhanced Data GSM Environment
  • CDMA code division multiple access
  • TDMA time division multiple access
  • WCDMA Wideband Code Division Multiple Access
  • HSDPA High Speed Downlink Packet Access
  • LTE Long Term Evolution
  • Network 110 is configured to couple network computers with other computers, including, authentication server computer 116, client computers 102-105, authentication device 106 through wireless network 108, or the like.
  • Network 110 is enabled to employ any form of computer readable media for communicating information from one electronic device to another.
  • network 110 can include the Internet in addition to local area networks (LANs), wide area networks (WANs), direct connections, such as through a universal serial bus (USB) port, other forms of computer-readable media, or any combination thereof.
  • LANs local area networks
  • WANs wide area networks
  • USB universal serial bus
  • a router acts as a link between LANs, enabling messages to be sent from one to another.
  • communication links within LANs typically include twisted wire pair or coaxial cable
  • communication links between networks may utilize analog telephone lines, full or fractional dedicated digital lines including Tl , T2, T3, and T4, and/or other carrier mechanisms including, for example, E- carriers, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links, or other communications links known to those skilled in the art.
  • ISDNs Integrated Services Digital Networks
  • DSLs Digital Subscriber Lines
  • communication links may further employ any of a variety of digital signaling technologies, including without limit, for example, DS-0, DS-l, DS-2, DS-3, DS-4, OC-3, OC- 12, OC-48, or the like.
  • remote computers and other related electronic devices could be remotely connected to either LANs or WANs via a modem and temporary telephone link.
  • network 110 may be configured to transport information of an Internet Protocol (IP).
  • IP Internet Protocol
  • communication media typically embodies computer readable instructions, data structures, program modules, or other transport mechanism and includes any information delivery media.
  • communication media includes wired media such as twisted pair, coaxial cable, fiber optics, wave guides, and other wired media and wireless media such as acoustic, RF, infrared, and other wireless media.
  • authentication server computer 116 includes virtually any network computer capable of performing actions for storing, authenticating, processing of biometric information, users, access points, or the like.
  • FIGURE 1 illustrates authentication server computer 116 as a single computer
  • the innovations and/or embodiments are not so limited.
  • one or more functions of authentication server computer 116 may be distributed across one or more distinct network computers.
  • authentication server computer 116 is not limited to a particular configuration such as the one shown in FIGURE 1.
  • authentication server computer 116 may be implemented using a plurality of network computers and/or client computer.
  • development computer may operate as a plurality of network computers within a cluster architecture, a peer-to-peer architecture, cloud or virtualized architecture, or the like.
  • authentication server computer 116 may be implemented using one or more cloud instances in one or more cloud networks.
  • This system may also, or alternatively, seek to confirm a live user presence during authenticated/authorized usage, confirm proximity of such user to a given access point or associated resource during use (i.e. within a designated authorization zone, area or distance threshold), and/or evaluate other secondary user authorization parameters.
  • the system is centred around a wearable authentication device that authenticates the wearer based on available authentication data, which may include biometric data, while confirming, based on an acquired physiological signal, that the wearer is in fact a living human being.
  • Some embodiments further allow for confirmation that the same user (i.e. the wearer) is both the source of the physiological signal and the authentication data, for instance, within the context of biometric authentication.
  • such live user presence, proximity and/or other related provisions may not be implemented, for instance, in reduced security environments and/or to reduce or limit complexity of the implemented authentication devices/systems.
  • the wearable authentication device synchronizes with a pre-initialized authorized registration application to authorize the wearable authentication device to wirelessly communicate a preauthenticated user identity to other devices and systems.
  • the wearable authentication device activates and privately broadcasts the user’s identification to other devices and systems.
  • authentication and/or physiological data is communicated or otherwise transferred to a trusted computation device, such as authentication server 116, for remote processing, thereby reducing a computational load on the wearable device. This enables logical and physical access by the user at one or more access points as a result of a single user authorization.
  • a biometric authentication sensor such as a fingerprint reader
  • a complementary physiological sensor such as an ECG
  • an analysis of the physiological sensor would determine that the user is not a live, in-the-flesh, human being, and so the authentication device would not authenticate the user.
  • FIGURE 2 shows one embodiment of client computer 200 that may be included in a system in accordance with at least one of the various embodiments.
  • Client computer 200 may include many more or less components than those shown in FIGURE 2. However, the components shown are sufficient to disclose an illustrative embodiment for practicing different embodiments of the present invention.
  • Client computer 200 may represent, for example, one embodiment of at least one of client computers 102-105 of FIGURE 1.
  • client computer 200 includes a processor 202 in communication with a mass memory 226 via a bus 234.
  • processor 202 may include one or more central processing units (CPU).
  • Client computer 200 also includes a power supply 228, one or more network interfaces 236, an audio interface 238, a display 240, a keypad 242, an illuminator 244, a video interface 246, an input/output interface 248, a haptic interface 250, and a global positioning system (GPS) receiver 232.
  • GPS global positioning system
  • Power supply 228 provides power to client computer 200.
  • a rechargeable or non- rechargeable battery may be used to provide power.
  • the power may also be provided by an external power source, such as an alternating current (AC) adapter or a powered docking cradle that supplements and/or recharges a battery, or directly powering the unit.
  • AC alternating current
  • Client computer 200 may optionally communicate with a base station (not shown), or directly with another computer.
  • Network interface 236 includes circuitry for coupling client computer 200 to one or more networks, and is constructed for use with one or more communication protocols and technologies including, but not limited to, GSM, CDMA, TDMA, GPRS, EDGE, WCDMA, HSDPA, LTE, user datagram protocol (UDP), transmission control protocol/Internet protocol (TCP/IP), short message service (SMS), WAP, ultra-wide band (UWB), IEEE 802.16 Worldwide Interoperability for Microwave Access (WiMax), session initiated protocol/real-time transport protocol (SIP/RTP), or any of a variety of other wireless communication protocols.
  • Network interface 236 is sometimes known as a transceiver, transceiving device, or network interface card (NIC).
  • Audio interface 238 is arranged to produce and receive audio signals such as the sound of a human voice.
  • audio interface 238 may be coupled to a speaker and microphone (not shown) to enable telecommunication with others and/or generate an audio acknowledgement for some action.
  • Display 240 may be a liquid crystal display (LCD), gas plasma, light emitting diode (LED), organic LED, AMOLED, PMOLED, or any other type of display used with a computer.
  • Display 240 may also include a touch sensitive screen arranged to receive input from an object such as a stylus or a digit from a human hand.
  • Keypad 242 may comprise any input device arranged to receive input from a user.
  • keypad 242 may include a push button numeric dial, or a keyboard.
  • Keypad 242 may also include command buttons that are associated with selecting and sending images.
  • Illuminator 244 may provide a status indication and/or provide light. Illuminator 244 may remain active for specific periods of time or in response to events. For example, when illuminator 244 is active, it may backlight the buttons on keypad 242 and stay on while the client computer is powered. Also, illuminator 244 may backlight these buttons in various patterns when particular actions are performed, such as dialing another client computer. Illuminator 244 may also cause light sources positioned within a transparent or translucent case of the client computer to illuminate in response to actions.
  • Video interface 246 is arranged to capture video images, such as a still photo, a video segment, an infrared video, or the like.
  • video interface 246 may be coupled to a digital video camera, a web-camera, or the like.
  • Video interface 246 may comprise a lens, an image sensor, and other electronics.
  • Image sensors may include a complementary metal-oxide- semiconductor (CMOS) integrated circuit, charge-coupled device (CCD), or any other integrated circuit for sensing light.
  • Client computer 200 also comprises input/output interface 248 for communicating with external devices, such as a headset, or other input or output devices not shown in FIGURE 2.
  • Input/output interface 248 can utilize one or more communication technologies, such as USB, infrared, BluetoothTM, ultrasound, Wi-Fi, ultra-wideband, or the like.
  • Haptic interface 250 is arranged to provide tactile feedback to a user of the client computer.
  • the haptic interface 250 may be employed to vibrate client computer 200 in a particular way when another user of a computer is calling.
  • haptic interface 250 may be optional.
  • Client computer 200 may also include GPS transceiver 232 to determine the physical coordinates of client computer 200 on the surface of the Earth.
  • GPS transceiver 232 may be optional.
  • GPS transceiver 232 typically outputs a location as latitude and longitude values.
  • GPS transceiver 232 can also employ other geo-positioning mechanisms, including, but not limited to, tri angulation, assisted GPS (AGPS), Enhanced Observed Time Difference (E-OTD), Cell Identifier (Cl), Service Area Identifier (SAI), Enhanced Timing Advance (ETA), Base Station Subsystem (BSS), or the like, to further determine the physical location of client computer 200 on the surface of the Earth.
  • AGPS assisted GPS
  • E-OTD Enhanced Observed Time Difference
  • Cl Cell Identifier
  • SAI Service Area Identifier
  • ETA Enhanced Timing Advance
  • BSS Base Station Subsystem
  • GPS transceiver 232 can determine a physical location within millimeters for client computer 200; and in other cases, the determined physical location may be less precise, such as within a meter or significantly greater distances. In one embodiment, however, client computer 200 may through other components, provide other information that may be employed to determine a physical location of the computer, including for example, a Media Access Control (MAC) address, IP address, or the like.
  • MAC Media Access Control
  • Mass memory 226 includes a Random Access Memory (RAM) 204, a Read-only Memory (ROM) 222, and other storage means. Mass memory 226 illustrates an example of computer readable storage media (devices) for storage of information such as computer readable instructions, data structures, program modules or other data. Mass memory 226 stores a basic input/output system (BIOS) 224, or the like, for controlling low-level operation of client computer 200. The mass memory also stores an operating system 206 for controlling the operation of client computer 200.
  • BIOS basic input/output system
  • this component may include a general-purpose operating system such as a version of UNIX, or LINUXTM, or a specialized client communication operating system such as Microsoft Corporation’s Windows MobileTM, Apple Corporation’s iOSTM, Google Corporation’s AndroidTM, or the like.
  • the operating system may include, or interface with a Java virtual machine module that enables control of hardware components and/or operating system operations via Java application programs.
  • Mass memory 226 further includes one or more data storage 208, which can be utilized by client computer 200 to store, among other things, applications 214 and/or other data.
  • data storage 208 may also be employed to store information that describes various capabilities of client computer 200. The information may then be provided to another computer based on any of a variety of events, including being sent as part of a header during a communication, sent upon request, or the like.
  • Data storage 208 may also be employed to store social networking information including address books, buddy lists, aliases, user profile information, user credentials, or the like. Further, data storage 208 may also store messages, web page content, or any of a variety of user generated content.
  • At least a portion of the information stored in data storage 208 may also be stored on another component of client computer 200, including, but not limited to processor readable storage media 230, a disk drive or other computer readable storage devices (not shown) within client computer 200. Further, at least a portion of data storage 208 may be used to store user (e.g. authentication, authorization and/or biometric) profile information 210 for one or more users and/or one or more authentication devices.
  • user e.g. authentication, authorization and/or biometric
  • Processor readable storage media 230 may include volatile, non-transitive, non- transitory, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer- or processor-readable instructions, data structures, program modules, or other data. Examples of computer readable storage media include RAM, ROM, Electrically Erasable Programmable Read-only Memory (EEPROM), flash memory or other memory technology, Compact Disc Read-only Memory (CD-ROM), digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other physical medium which can be used to store the desired information and which can be accessed by a computer. Processor readable storage media 230 may also be referred to herein as computer readable storage media and/or computer readable storage device.
  • RAM random access memory
  • ROM read-only Memory
  • EEPROM Electrically Erasable Programmable Read-only Memory
  • CD-ROM Compact Disc Read-only Memory
  • DVD digital versatile disks
  • Applications 214 may include computer executable instructions which, when executed by client computer 200, transmit, receive, and/or otherwise process network data.
  • Network data may include, but is not limited to, messages (e.g. SMS, Multimedia Message Service (MMS), instant message (IM), email, and/or other messages), audio, video, and enable telecommunication with another user of another client computer.
  • Applications 214 may include, for example, user (e.g. biometric) authentication application 216, enrollment application 218, other applications 220, or the like.
  • Other applications 220 may include a web browser.
  • the web browser may include virtually any application configured to receive and display graphics, text, multimedia, messages, and the like, employing virtually any web based language.
  • the browser application is enabled to employ HDML, WML, WMLScript, JavaScript, SGML, HTML, XML, and the like, to display and send a message.
  • the browser may enable a user of client computer 200 to communicate with another network computer, such as authentication server computer 116 as shown in FIGURE 1.
  • Other applications 220 may additionally include, but are not limited to, calendars, search programs, email clients, IM applications, SMS applications, voice over Internet Protocol (VOIP) applications, contact managers, task managers, transcoders, database programs, word processing programs, software development tools, security applications, spreadsheet programs, games, search programs, and so forth.
  • VOIP voice over Internet Protocol
  • FIGURE 3 shows one embodiment of a network computer 300, according to one embodiment of the invention.
  • Network computer 300 may include many more or less components than those shown. The components shown, however, are sufficient to disclose an illustrative embodiment for practicing the invention.
  • Network computer 300 may be configured to operate as a server, client, peer, a host, cloud instance, or any other computer.
  • Network computer 300 may represent, for example authentication server computer 116, and/or other network computers.
  • Network computer 300 includes processor 302, processor readable storage media 328, network interface unit 330, an input/output interface 332, hard disk drive 334, video display adapter 336, and memory 326, all in communication with each other via bus 338.
  • processor 302 may include one or more central processing units.
  • network computer 300 also can communicate with the Internet, or other communication networks, via network interface unit 330, which is constructed for use with various communication protocols including the TCP/IP protocol.
  • Network interface unit 330 is sometimes known as a transceiver, transceiving device, or network interface card (NIC).
  • Network computer 300 also comprises input/output interface 332 for communicating with external devices, such as a keyboard, or other input or output devices not shown in FIGURE 3.
  • Input/output interface 332 can utilize one or more communication technologies, such as USB, infrared, NFC, Bluetooth, or the like.
  • Memory 326 generally includes RAM 304, ROM 322 and one or more permanent mass storage devices, such as hard disk drive 334, tape drive, optical drive, and/or floppy disk drive.
  • Memory 326 stores operating system 306 for controlling the operation of network computer 300. Any general-purpose operating system may be employed.
  • BIOS Basic input/output system
  • BIOS Basic input/output system
  • memory 326 may include processor readable storage media 328.
  • Processor readable storage media 328 may be referred to and/or include computer readable media, computer readable storage media, and/or processor readable storage device.
  • Processor readable storage media 328 may include volatile, nonvolatile, non-transitory, non transitive, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • processor readable storage media examples include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other media which can be used to store the desired information and which can be accessed by a computer.
  • Memory 326 further includes one or more data storage 308, which can be utilized by network computer 300 to store, among other things, applications 314 and/or other data.
  • data storage 308 may also be employed to store information that describes various capabilities of network computer 300. The information may then be provided to another computer based on any of a variety of events, including being sent as part of a header during a communication, sent upon request, or the like.
  • Data storage 308 may also be employed to store messages, web page content, or the like. At least a portion of the information may also be stored on another component of network computer 300, including, but not limited to processor readable storage media 328, hard disk drive 334, or other computer readable storage medias (not shown) within network computer 300.
  • Data storage 308 may include a database, text, spreadsheet, folder, file, or the like, that may be configured to maintain and store user account identifiers, user profiles, email addresses, IM addresses, and/or other network addresses; or the like.
  • Data storage 308 may further include program code, data, algorithms, and the like, for use by a processor, such as processor 302 to execute and perform actions.
  • processor 302 such as processor 302 to execute and perform actions.
  • at least some of data store 308 might also be stored on another component of network computer 300, including, but not limited to processor- readable storage media 328, hard disk drive 334, or the like.
  • Data storage 308 may include user (e.g. authentication, authorization and/or biometric) profile information 312.
  • user profile information 312 may include information, such as, one or more files, that include authentication (e.g. biometric) data for one or more users, or the like, used for authentications of wearable authentication devices.
  • data storage 308 may include authentication information 313 that may include information about users, access points, access control lists, or the like.
  • Applications 314 may include computer executable instructions, which may be loaded into mass memory and run on operating system 306. Examples of application programs may include transcoders, schedulers, calendars, database programs, word processing programs, Hypertext Transfer Protocol (HTTP) programs, customizable user interface programs, IPSec applications, encryption programs, security programs, SMS message servers, GM message servers, email servers, account managers, and so forth. Applications 314 may also include, enrollment application 320 for enrolling and/or activating authentication devices. Application mat also include registration application 321 for authenticating users by employing biometric information, authentication devices, additional conditions, or the like.
  • HTTP Hypertext Transfer Protocol
  • Website server 318 may represent any of a variety of information and services that are configured to provide content, including messages, over a network to another computer.
  • website server 318 can include, for example, a web server, a File Transfer Protocol (FTP) server, a database server, a content server, email server, or the like.
  • Website server 318 may provide the content including messages over the network using any of a variety of formats including, but not limited to WAP, HDML, WML, SGML, HTML, XML, Compact HTML (cHTML), Extensible HTML (xHTML), or the like.
  • a wearable authentication device such as, authentication device 106 may be any device that may be employed, typically, worn or held, by a user and is capable of receiving authentication data as input, such as for example, offering a user input interface for the manual input of authentication data (username, password, code, PIN, etc.) and/or being operable to obtain a biometric signal or like input.
  • wearable authentication devices are a wristband, wristwatch, bracelet, necklace, ring, belt, glasses, clothing, hat, anklet, headband, chest harness or earring(s), or, in the context of a biometric device, any other item that is capable of obtaining a biometric signal.
  • the wearable authentication device can also be incorporated into clothing.
  • the wearable authentication device may comprise multiple input interfaces so to access distinct authentication inputs (e.g. combined manual and biometric inputs, multiple biometric inputs, etc.).
  • wearable authentication devices are contemplated in the illustrated embodiments, for at least one of the various embodiments, authentication devices within the scope of these innovations are not limited exclusively to wearable devices.
  • authentication devices in non-wearable form factors may be considered to be within the scope of the innovations described herein.
  • a fixed authentication device embedded in a chair, desk, handle bar, or the like, or combination thereof may be considered to be within the scope of the innovations described herein.
  • a fixed authentication device embedded in a chair, desk, handle bar, or the like, or combination thereof.
  • authentication devices that may be held rather than worn are also contemplated to be within the scope of the innovations described herein.
  • most of the discussion and examples presented herein are described in terms of wearable authentication devices.
  • One of ordinary skill in the art will appreciate the other authentication device form factors are within the scope of these innovations and are envisaged.
  • a user of a wearable authentication device may be authenticated with one or more biometric technologies or sensors that may capture biometric signals and/or data that represent biometric features that may be employed to uniquely identify the user.
  • the uniqueness of a biometric feature may be directly related to the underlying inter-individual differences in a population.
  • biometric data that may be employed to uniquely identify a user are gait, heart rate, galvanic skin response, temperature, fingerprint, voice or voiceprint, body electrical characteristic, body thermal characteristic, iris pattern, vein pattern, eye vein pattern, facial or other anatomical structure, electrocardiogram, photoplethysmogram, electromyogram, electroencephalogram, transient otoacoustic emissions, phonocardiogram, DNA, one or more chemical markers, one or more biochemical markers, skin-color variation or discoloration, or perspiration.
  • authentication is performed by the authentication device. However, additionally or alternatively, authentication may be performed by an authorized registration application.
  • a physiological feature is also captured, not to identify a user (although this is also contemplated, with various degrees of weight given based on the uniqueness of the physiological signal for use as a secondary biometric feature type), but to determine whether the authentication data was received from a genuine living human being, and/or to determine whether the genuine living human from whom the authentication data was captured is wearing the authentication device.
  • an authentication process invoked by or via the device will be satisfied upon confirming authentication of the input authentication data and concurrent live user presence via the device’s physiological feature.
  • Such liver user presence confirmation may further or alternatively persist during use to confirm live user presence in maintaining user authorizations and otherwise revoke such authorizations if the physiological input is lost (e.g. if the device is removed from the user, or, vice-versa).
  • the user authentication interface and physiological sensor will be configured so to concurrently with the user during authentication, for example, where authentication data input requires user contact (e.g. fingerprint and/or data input) and where such contact invariably results in user contact with a complementary physiological sensor (e.g. probe, interface and/or contact thereof).
  • a complementary physiological sensor e.g. probe, interface and/or contact thereof.
  • a physiological signal may further require two concurrent physical contact points by a same genuine user, for example in the context of a ECG, which can be achieved in some embodiments, through a finger input interface and wrist interface in a wristband or likewise configured device.
  • an electrocardiogram is used in at least one of the various embodiments to validate that a fingerprint (e.g. authenticating biometric data) is being captured by a wearer of an authentication device (e.g. as opposed to a fingerprint from a person standing next to the wearer).
  • the ECG may also be used to defeat a replay attack by validating that the fingerprint is captured from a genuine living person, as opposed to a fingerprint mold intended to fool the authentication device. Both validations are accomplished by positioning one of the ECG sensors proximate to (e.g.
  • biometric and physiological features are captured concurrently, from the same finger.
  • authentication and physiological features may be captured sequentially, such that within a defined period of time chosen to prevent another person from substituting their finger, or in parallel.
  • authentication and physiological features may be captured within a defined period of time such that the wearable authentication device has not detected the removal of the finger between captures.
  • biometric authentication is considered in the above-noted examples, other authentication mechanisms may also be considered to concurrently or sequentially benefit from physiological user presence confirmation.
  • a user input interface for receiving as input manually entered authentication data e.g. touch sensitive screen or interface
  • a second ECG sensor is positioned so as to contact the wrist of the wearer.
  • an ECG signal is enabled to travel from the heart, through one arm, through one of the ECG sensors, out the other ECG sensor, through the other arm, and back to the heart.
  • the authentication device Without this electrical connection - e.g. if another person is providing the fingerprint or manual input, such that the ECG does not flow through the fmgerpath of the user touching the authentication interface - the authentication device will determine that the authentication data is not being provided by the wearer of the authentication device.
  • the electrical connection is distorted or in any way modified by the use of a fingerprint mold, for example, the ECG sensor will determine that the fingerprint is not being provided by the wearer of the authentication device.
  • biometric authentication feature may be any feature that is captured based on contact with the user
  • a physiological feature may be any feature that can be captured, at least in part, using the same body part as is used to capture the biometric feature, and which can determine if the wearable authentication device is worn by the owner of that same body part.
  • fingerprint and ECG are discussed in greater detail below as options for providing authentication and liver user presence confirmation, such examples should not be considered to limit the general scope and nature of the present disclosure, but rather, merely serve as one example consistent with various embodiments of the present disclosure.
  • the wearable authentication device may include an onboard power source to enable the authentication device to perform the required functions, such as obtaining the authentication and/or physiological signals, transmitting and receiving these and related control signals, and in some embodiments, maintaining a detector for detecting the removal of the wearable authentication device, for example, such as an electronic continuity detector.
  • a power source known to the skilled person is acceptable, with non limiting examples being battery, photovoltaic, kinetic, or microgenerator, thermal, piezo-electric generator, inductive charging, and wireless power transfer.
  • the wearable authentication device includes one or more radios/transceivers for transmitting and receiving communications.
  • the one or more radios/transceivers may transmit and receive communications from systems installed at access points, e.g. transmitting authorization to gain access to one or more access points.
  • the wearable authentication device may incorporate a wireless connectivity module such as Bluetooth 4.0 Low Energy (BLE), Near-Field Communications (NFC), Wi-Fi, or other wireless technology capable of transmitting and receiving functions.
  • BLE Bluetooth 4.0 Low Energy
  • NFC Near-Field Communications
  • Wi-Fi Wireless Fidelity
  • a BLE radio may be used because it may consume significantly less power when communicating in short bursts. In this way, a battery or other power source used to power the wearable authentication device may have an extended life, in some cases on the order of multiple weeks.
  • the radios and/or transceivers may be used to transmit data during initialization and authentication, identify the user, and to establish a unique user profile associated with the user and the wearable authentication device.
  • the same or other the radios and/or transceivers included in a wearable authentication device may also transmit and receive motion data, time of flight, signal strength, and proximity data in order to be aware of local access points.
  • the radios and/or transceivers may also be used to receive a positive authentication message that puts the wearable device into an authenticated state, as well as to prompt the user of notification events.
  • the wearable authentication device may be arranged to include proximity sensors for sensing an access point (physical or logical), or an authorized application.
  • a feature of the Bluetooth 4.0 standard which may be used by radios and/or transceivers included in the authentication device.
  • the wearable authentication device may be configured to transmit a beacon signal along with the transmitting signal strength. Accordingly, the receiving device may use this information, along with the received signal strength, to estimate the proximity of the wearable authentication device.
  • Non-limiting exemplary uses of the proximity data may include: only unlocking a device when the proximity is within a specified range, i.e., a door lock is only unlocked when the authorized user is within a certain distance, such as 50 cm; a“digital leash” which warns the user when a paired device is no longer within a certain proximity; revoke authorized access to a given resource upon the device moving beyond a designated authorization distance, zone or area, or the like.
  • the wearable authentication device may utilize ECG biometric authentication as a secondary, confirmatory form of biometric authentication in addition to the primary authentication mechanism, e.g. fingerprint, finger-vein, etc.
  • ECG biometric authentication technology may use unique features of a user’s electrocardiogram (ECG) to create a highly personalized biometric signature for that individual.
  • ECG electrocardiogram
  • the ECG is universal, unique for every individual, and permanent over time. An ECG may be recorded for every living user, with no exclusion criteria.
  • one or more well-known ECG biometrics algorithms may analyze the overall pattern of the signal waveform rather than specific characteristics of the heart-beats and are therefore referred to as“fiducial -independent”.
  • One of the core algorithms is referred to as the AC/LDA (Autocorrelation / Linear Discriminant Analysis) and has become a standard for the comparison of fiducial dependent and independent algorithms.
  • a number of mechanisms for initiation of ECG capture and authentication may be used.
  • the authentication device may be arranged to automatically sense when a top electrode is touched, such as using an embedded “lead on/off’ detection system, optionally with notification of the lead status to the user.
  • ECG capture is initiated in response to capturing primary authentication data , such as a fingerprint.
  • biometric authentication when biometric authentication is initiated through fingerprint, one or more images of a finger are captured and stored in a biometric profile 210. In one or more of the various embodiments, when authentication is performed by the registration application, the one or more images of the finger are transmitted to the registration application for processing and stored in biometric profile information 312. Similarly, once ECG capture and liveness validation are initiated, the single-channel filtered ECG data may be processed by the wearable authentication device and/or transmitted to the registration application for processing. In another embodiment, the images of the finger and ECG capture and liveness validation are processed and stored on the device.
  • biometric/user enrollment may be initiated, wherein the user touches the wearable authentication device, and then a biometric feature (e.g. a fingerprint, finger-vein) and an ECG are captured and processed by the wearable authentication device, and/or are transmitted to the registration application.
  • a biometric feature e.g. a fingerprint, finger-vein
  • ECG electrocardial pressure
  • This process may take as little as about 1 second and up to a few seconds, a minute, or a few minutes depending on the level of interaction with the user with the wearable authentication device and the type of authentication signals being obtained.
  • the user (e.g. biometric) profile may be created in a number of different ways.
  • the biometric signal may be transmitted to a cloud service, where the processing is performed on the cloud servers to generate the biometric profile.
  • the biometric signal may be processed on the registration application to generate the biometric profile.
  • the biometric profile may be associated with a user and stored within a cloud service. Also, in at least one of the various embodiments, the biometric profile may be transmitted to the registration application or stored locally just on the device. In at least one of the various embodiments, the biometric profile may be stored on a wearable authentication device that is arranged to include the processing power required to authenticate the user. In another alternative, the processing for the creation of the biometric profile may be performed on the registration application or in the wearable authentication device itself.
  • the wearable authentication device may include one or more of: a CPU or system on a chip (SOC) which acts as the controller, a wireless transceiver, an antenna, audible and haptic feedback, and a user interface.
  • the controller may be operative for controlling the overall operation of the wearable authentication device.
  • the controller functionality may be implemented within, for example, one or more digital processing devices within the wearable authentication device.
  • the wireless transceiver is operative for supporting wireless communication between the wearable authentication device and one or more other wireless entities including the AAD and wireless access points. In one embodiment, separate transceivers are provided within the wearable authentication device to support wireless communication between the wearable authentication device and other systems or devices.
  • the wireless transceiver may also be coupled to one or more antennas to facilitate the transmission and reception of wireless signals.
  • Any type of antenna(s) may be used including, for example, a dipole antenna, a patch antenna, a helical antenna, an antenna array, trace antenna, and/or others, including combinations of the above.
  • a user interface may be operative for providing an interface between a user and the wearable authentication device.
  • the user interface of a authentication device may include structures such as, for example, a keyboard, a liquid crystal display (LCD), light emitting diode (LED), active-matrix organic light-emitting diode (AMOLED), passive-matrix organic light-emitting diode (PMOLED), capacitive touch screen, a speaker, a microphone, mouse, stylus, one or more physical or electronic buttons, and/or any other form of device or structure that enables a user to input information or commands to the wearable authentication device or receive information or a notification from the device.
  • LCD liquid crystal display
  • LED light emitting diode
  • AMOLED active-matrix organic light-emitting diode
  • PMOLED passive-matrix organic light-emitting diode
  • the controller may first determine if the wearable authentication device (and, therefore, the user) is within a predetermined distance or proximity to an access point. In one example, if the wearable authentication device is within proximity of an access point and the wearable authentication device transmits a control signal to the access point indicating that the user has been authenticated, the receiver at the access point may automatically enable access to the user. If the wearable authentication device later goes outside the predetermined distance from the access point, the access point may be locked. In one example, if the access point is a security protected desktop computer and the preauthorized user wearing their preauthorized wearable authentication device temporarily leaves her desk to go to lunch, the computer will automatically lock so that no one else may use it in the user's absence.
  • the access point is a smartphone and the smartphone is inadvertently left somewhere by the user, or is stolen, the smartphone will automatically lock up and thus be unusable by an unauthorized party in possession thereof.
  • the smartphone will simply be unlocked without having to repeat the automatic log in procedure, assuming that the wearable authentication device remains preauthorized.
  • the wearable authentication device no matter which type of authentication data is used for authentication, should be able to maintain contact with the user (e.g. via onboard physiological sensor) such that in the case that the wearable device is removed from the user, the wearable device will require re-initialization prior to authorizing access control.
  • the purpose of maintaining contact of the wearable authentication device with the user is to ensure that an authorized authentication device cannot be transferred to a different user without requiring reauthorization. Accordingly, although skin or body contact is not required at all times while the wearable device is in its authenticated state, the wearable device should be on the user in such a way that removal of the wearable will put the wearable device back to its unauthenticated state.
  • the wearable authentication device In the unauthenticated state, the wearable authentication device is not enabled to transmit a control signal to an access point.
  • the security of at least some of the herein described embodiments depends on ensuring that removal of the wearable device from the user is reliably detected. Accordingly, the wearable authentication device may be arranged such that removal from the user’s body may be easily detected.
  • the wearable device may comprise a sensored adjustable and/or openable clasp to assist the user with putting on and removing the wearable device while monitoring removal of the device form the user in authenticated use.
  • removal of the wearable device may be sensed by the wearable authentication device, for example, by opening the clasp, or again by cutting the band, or generally severing an electrical conduit such as an electronic continuity detector.
  • One exemplary electronic continuity detector that may be used to detect device removal comprises a simple circuit within the wearable device that runs around the entire wrist and is broken when the clasp is opened or the band is cut.
  • device removal detection may be used, for example, including disruption in skin contact detection by way of conductivity, heat flux, galvanic skin response or motion, or periodic or continuous biometric signal detection.
  • device removal detection embodiments may include pulse detection, skin temperature detection, ambient temperature detection, blood flow detection, pressure detection, ambient light detection, electromagnetic field detection, respiration detection, heart rate detection, electrocardiogram detection, photoplethysmogram detection, electromyogram detection, electroencephalogram detection, near infra-red detection, skin-color detection, close magnetic contact detection, and mechanical switch detection.
  • additional sensors may be incorporated into the device to obtain additional biometric or environmental readings.
  • an additional sensor are motion sensor, proximity sensor, barometric sensor, pressure sensor, thermometer, microphone, near infrared sensor, light sensor, GPS sensor, capacitive sensor, gyroscope, manometer, camera, humidity sensor, hall sensor, galvanic skin sensor, photoplethysmogram sensor, electroencephalogram sensor, electromyogram sensor, blood flow sensor, bioimpedance sensor, otoacoustic emission sensor, optical sensor, altimeter sensor or UV light sensor.
  • These additional sensors may provide one or more contextual signals such as the location of the wearable device and/or proximity to trusted environments.
  • a wearable authentication device may comprise one or more motion sensors that may be used for a variety of purposes, including but not limited to, user input (e.g., tap detection), activity tracking (e.g., pedometer, sports, fitness, etc.), gesture recognition, or the like.
  • a wearable authentication device may incorporate a six-axis motion sensor using an integrated accelerometer and gyroscope or a 9-axis motion sensor using integrated accelerometer, gyroscope, and magnetometer application-specific integrated circuit (ASIC).
  • ASIC magnetometer application-specific integrated circuit
  • Embedded motion sensors may also be utilized for simple gesture recognition to indicate user intent, such as for example gestures may be used to distinguish between user intents to unlocking different locks on an automobile, such as, the driver door, passenger door, the trunk, or the like. In this way, computational requirements on the wearable authentication device may be kept at a minimum.
  • the wearable authentication device may be arranged to include notification devices and procedures to alert the user of one or more notification events. Some non-limiting examples of these include one or more notification LEDs and/or a vibration motor.
  • a notification event may be an event detected by the wearable authentication device that the user should be aware of. These events may include: when the wearable device has been put into an authenticated state; when the wearable authentication device is communicating with other devices; when the wearable device is sensing motion; and/or when some event has occurred on a paired device, such as receiving an email or text.
  • a paired device may be any device or system that interacts with the wearable authentication device.
  • the wearable device may also comprise other components such as a display screen, input devices (such as, for example, button, switch, keypad or touchscreen), timepiece/timers, tracking or global positioning (GPS) detector activity, or physiology or emotion tracking.
  • authentication device may be arranged to indicate proximity to other devices.
  • wearable authentication devices may be arranged to include additional electronics for storing data for access and use not related to the presently described security system.
  • FIGURE 4A and FIGURE 4B are schematic physical and logical diagrams, respectively, of a wearable user authentication / access authorization device, in accordance with at least one of the various embodiments.
  • FIGURE 4A illustrates authentication device 400 that is arranged as a wearable wristband/bracelet.
  • wristband 402 may be arranged to include various hardware components, probes, sensors, and software for capturing authentication (e.g. biometric) and/or physiological signals from its wearer; making a determination whether authentication data was captured from a live person wearing the wearable wristband/bracelet based on a captured physiological feature; communication with a registration application or access point; authentication of a wearer, or the like, as discussed above.
  • wristband 402 may include an adjustable clasp mechanism, such as, clasp 404, for detecting if a wearer removes wristband 402 from his or her wrist. For example, in at least one of the various embodiments, if an authentication device detects that the clasp is opened, it may automatically de-authenticate itself.
  • FIGURE 4B schematically illustrates some of the various components that may be comprised in an authentication device in accordance with at least one of the various embodiments.
  • wristband 402 may include one or more presence sensors, such as, presence sensor 406, presence sensors may be arranged to determine if authentication device 402 is in the presence of a wearer, registration application, access point, or the like, or combination thereof.
  • authentication device 402 may include one or more radios or transceivers, such as, high bandwidth radio 410 and low bandwidth radio 412. These radios may enable a authentication device to communicate with other computer or devices, such as, access points, authentication servers, or the like, or combination thereof.
  • clasp sensor 408 may be arranged to determine if the clasp, or other securing mechanism, is opened or closed.
  • an opened clasp may indicate that the authentication device may be separated from its authenticated user.
  • the authentication device may be arranged to automatically reset or otherwise de-authenticate itself if clasp sensor 408 indicates that the authentication device is removed from the wearer. Further, removal of the wearable device may be sensed by the wearable authentication device for example, by opening the clasp, cutting the band, or generally severing an electrical conduit such as an electronic continuity detector.
  • One exemplary electronic continuity detector that may be used to detect device removal comprises of a simple circuit within the wearable device that runs around the entire wrist and is broken when the clasp is opened or the band is cut.
  • Other types of device removal detection may be used, for example, including disruption in physiological signal such as skin contact detection by way of conductivity, heat flux, galvanic skin response or motion, or periodic or continuous biometric signal detection.
  • device removal detection embodiments include physiological tests such as pulse detection, skin temperature detection, blood flow detection, pressure detection, electromagnetic field detection, respiration detection, heart rate detection, electrocardiogram detection, photoplethysmogram detection, electromyogram detection, electroencephalogram detection, near infra-red detection, skin-color detection, close magnetic contact detection, and/or non-physiological tests such as mechanical switch detection, ambient temperature detection, ambient light detection, etc.
  • authentication device 402 may be arranged to communicate with various devices, such as, access points, authentication servers and cloud services, or the like, or combination thereof.
  • high bandwidth radio 410 may include radios for communication using high bandwidth mechanisms such as Wi-Fi, or the like.
  • Low bandwidth radio 412 may represent components for communicating using low-power, shorter range radio systems such as, Bluetooth, Bluetooth Low Energy, NFC, RFID, or the like, or combination thereof.
  • these radios may be coupled to one or more antennas to facilitate the transmission and reception of wireless signals. Any type of antenna(s) may be used including, for example, a dipole antenna, a patch antenna, a helical antenna, an antenna array, trace antenna, and/or others, including combinations of the above.
  • RAM 414 may be non-volatile and/or volatile random access memory for storing information for operation of authentication device 402. In at least one of the various embodiments, all or portions of the contents of RAM 414 may be erased if the authentication device is removed of its wearer.
  • ROM 416 may contain data and/or instructions for the operation of the authentication device. In at least one of the various embodiments, ROM 416 may be“flashable,” enabling it to be updated with system updates provided by a registration application or a biometric server service.
  • secure memory 418 may be a hardened tamper resistant memory device that is resistant to physical tampering.
  • sensitive information such as cryptographic keys, biometric profiles derived from captured biometric features, and the like may be stored in secure memory 418.
  • authentication device 402 may be arranged to include CPU or System-on-a-Chip (SOC) for controller the operations of the authentication device.
  • SOC System-on-a-Chip
  • the performance capability of CPU/SOC 420 may vary depending on how much processing authentication device 402 is intended to perform.
  • GPS transceiver 422 may represent the radios, hardware, and instructions (e.g., software) for receiving geo-location. GPS transceiver 422 may determine the physical coordinates of authentication device 402 on the surface of the Earth. GPS transceiver 422 typically outputs a location as latitude and longitude values.
  • GPS transceiver 422 may also employ other geo-positioning mechanisms, including, but not limited to, triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference (E- OTD), Cell Identifier (Cl), Service Area Identifier (SAI), Enhanced Timing Advance (ETA), Base Station Subsystem (BSS), or the like, to further determine the physical location of authentication device 402 on the surface of the Earth. It is understood that under different conditions, GPS transceiver 422 may determine a physical location within millimeters for authentication device 402; and in other cases, the determined physical location may be less precise, such as within a meter or significantly greater distances.
  • AGPS assisted GPS
  • E- OTD Enhanced Observed Time Difference
  • Cl Cell Identifier
  • SAI Service Area Identifier
  • ETA Enhanced Timing Advance
  • BSS Base Station Subsystem
  • additional sensors 424 represent one or more sensor systems including, additional sensors such as accelerometers, motion sensors, proximity sensors, barometric sensors, pressure sensors, thermometers, microphones, near infrared sensors, light sensors, capacitive sensors, gyroscopes, manometers, cameras, humidity sensors, hall sensors, galvanic skin sensors, photoplethysmogram sensors, electroencephalogram sensors, electromyogram sensors, blood flow sensors, bioimpedance sensors, otoacoustic emission sensors, optical sensors, altimeter sensors, UV light sensors, or the like.
  • additional sensors such as accelerometers, motion sensors, proximity sensors, barometric sensors, pressure sensors, thermometers, microphones, near infrared sensors, light sensors, capacitive sensors, gyroscopes, manometers, cameras, humidity sensors, hall sensors, galvanic skin sensors, photoplethysmogram sensors, electroencephalogram sensors, electromyogram sensors, blood flow sensors, bioimpedance sensors, otoacoustic emission sensors, optical sensors, al
  • authentication device 402 may be arranged to include a variety of biometric and/or physiological sensors and probes for detecting, sensing, and/or sampling a variety of biometric and/or physiological signals from the wearer.
  • ECG sensors 426 represent one or more sensors for detecting, sensing, and/or sampling ECG information as described above.
  • Fingerprint sensor 427 depicted adjacent to ECG sensor 426 to indicate a physical proximity on the physical device, represents a sensor for scanning fingerprints, as described above.
  • biometric sensors 428 represent one or more sensors for detecting, sensing, and/or sampling other biometric information as described above.
  • sensors may be comprised of one or more probes, contacts, or the like.
  • one or more probes or contacts, represented by probes 436 may be used for to collect signals for more than one sensor.
  • ECG sensor 426 may be adjacent to, surrounding, internal to, integrated with, and/or otherwise close enough to fingerprint sensor 427 that a user may easily place a finger on probes for both sensors at the same time.
  • probes for ECG sensor 426 may be located next to / integrated with one or more probes for fingerprint sensor 427 such that it is difficult if not impossible to selectively activate one sensor but not the other, and such that it is difficult if not impossible for two fingers, each from different people, to individually be captured by the different sensors.
  • one or more probes or other components may be shared by two or more sensors.
  • a sensor for detecting body temperature, heart rate, ECGs, or the like may be arranged to share the same probe.
  • biometric sensor 402 may be arranged to include a variety of components for interacting with the wearer.
  • Vibration motor 430 may enable the authentication device to vibrate to notify the wearer of various changes in state, or the like (as discussed above).
  • user interface 432 may comprise elements that enable a user to provide input to the authentication device or for receiving output from the authentication device as discussed above, including biometric data that may be employed to uniquely identify a user, such as gait, heart rate, galvanic skin response, temperature, fingerprint, voice or voiceprint, body electrical characteristic, body thermal characteristic, iris pattern, vein pattern, eye vein pattern, facial or other anatomical structure, electrocardiogram, photoplethysmogram, electromyogram, electroencephalogram, transient otoacoustic emissions, phonocardiogram, DNA, one or more chemical markers, one or more biochemical markers, skin-color variation or discolouration, perspiration, or the like.
  • user interface 432 may include a key pad, buttons, LED’s microphone (for voice commands), or the like, or combination thereof.
  • power source 434 may be arranged to provide power of operating authentication device 402.
  • Power source 434 may include various batteries, storage cells, power adapters, chargers, or the like, as well as, power sources such as, photovoltaic, kinetic, or microgenerator, thermal, piezo-electric generator, inductive charging, and wireless power transfer or the like, or combination thereof.
  • authentication device 402 is a non limiting example of an authentication device that is in accordance at least one of the various embodiments. Even though authentication device 402 represents a wristband wearable authentication device, authentication devices within the scope of these innovation may be arranged in other form factors, such as those discussed above.
  • FIGURE 4B and/or elsewhere in this paper may be implemented in hardware, including, dedicated (custom) hardware, ASICs, FPGAs, or the like. Likewise, these components or portions thereof may be implemented in whole or in part using software.
  • FIGURE 5A illustrates a logical schematic of authentication device 500 showing sensors for fingerprint scanning and ECG signal capturing in accordance with at least one of the various embodiments.
  • authentication device section 502 represents a side cross-section that highlights one arrangement for capturing fingerprints and ECG signals.
  • fingerprint sensors in a authentication device may be arranged to receive signals from one or more probes, such as probe 504.
  • Probe 504 may be a camera, scanner, or other device or component capable of capturing an signals that correspond to a fingerprint.
  • ECG sensors may be arranged to uses probes, such as probe 506 and probe 508 that may be probe contacts (e.g., electrodes, conductive contacts, or the like) arranged to capture ECG signals upon direct contact of a user’s skin.
  • probe 504 and probe 506 are arranged to enable the user to touch with a finger of his or her opposite hand (the hand not wearing the authentication device).
  • probe 508 is arranged to contact the skin of the user’s wrist that is wearing the authentication device. Accordingly, a circuit may be made from one hand to the other, enabling ECG signals to be captured through the probes and provided to one or more sensors, concurrent with a fingerprint of the same finger being captured.
  • probes or sensor arrangements may be employed. Further, more or fewer probes or sensors may be arranged in different positions - however, the arrangement disclosed in FIGURE 5B is at least sufficient for practicing the innovations described herein.
  • FIGETRE 5B illustrates a logical schematic of authentication device 510 showing another arrangement of probes for fingerprint scanning and ECG signal capturing in accordance with at least one of the various embodiments.
  • authentication device section 512 represents a side cross-section that highlights one arrangement for capturing fingerprints and ECG signals.
  • a fingerprint sensor such as, fingerprint sensor 427
  • Probe 516 represents a contact (e.g., conductive metal ring or bezel) arranged to capture ECG signals upon direct contact of a user’s skin. In some embodiments, probe 516 may be positioned to contact a user’s finger while that finger is in contact with probe 514.
  • probe 514 and probe 516 are arranged to enable the user to simultaneously contact both probes with the same finger of his or her opposite hand (the hand not wearing the authentication device). Accordingly, while the user’s fingertip is in contact with both probes at the same time, probe 514 captures the user’s fingerprint information and probe 516 acts as an conductive contact.
  • probe 518 is arranged to contact the skin of the user’s wrist that is wearing the authentication device. Accordingly, a circuit may be made from one hand to the other, enabling ECG signals to be captured through the probes and provided to an ECG sensor, such as, ECG sensor 426, concurrent with a fingerprint of the same finger being captured.
  • ECG sensor such as, ECG sensor 426
  • FIGETRE 5C illustrates a logical schematic of authentication device 510 showing a top view of the arrangement of sensors for fingerprint scanning and ECG signal capturing in accordance with at least one of the various embodiments.
  • authentication device section 512 represents a top view of device 510 that highlights one arrangement for capturing fingerprints and ECG signals.
  • a fingerprint sensor such as, fingerprint sensor 427
  • the one or more probes may include a camera, scanner, or other device capable of capturing an image of a fingerprint.
  • Probe 516 represents a conductive contact (e.g., conductive metal ring or bezel) arranged to capture ECG signals upon direct contact of a user’s skin.
  • probe 516 may be positioned to contact a user’s finger while that finger is in contact with probe 514.
  • probe 514 and probe 516 are arranged to enable the user to simultaneously contact both probes with the same finger of his or her opposite hand (the hand not wearing the authentication device). Accordingly, while the user’s fingertip is in contact with both probes at the same time, probe 514 captures the user’s fingerprint information and probe 516 acts as an conductive contact.
  • probe 518 (not visible in FIGURE 5C) is arranged to contact the skin of the user’s wrist that is wearing the authentication device. Accordingly, a circuit may be made from one hand to the other, enabling ECG signals to be captured through the probes, concurrent with a fingerprint of the same finger being captured.
  • sensor or probe arrangements may be employed. Further, more or fewer probes or sensors may be arranged in different positions - however, the arrangement disclosed in FIGURE 5C is at least sufficient for practicing the innovations described herein.
  • authentication devices 502/512 are non-limiting examples of authentication devices that are in accordance at least some of the various embodiments. Even though authentication devices 502/512 represent wristband wearable authentication devices, authentication devices within the scope of these innovation may be arranged in other form factors, such as those discussed above.
  • FIGURE 4B and/or elsewhere in this paper as it relates to the embodiments shown in FIGURES 5A-5C may also be implemented in hardware, including, dedicated (custom) hardware, ASICs, FPGAs, or the like. Likewise, these components or portions thereof may be implemented in whole or in part using software, firmware and/or combinations thereof.
  • a wearable device may be arranged to omit features and components related to biometric sensors, biometric signals, or the like.
  • the preauthorization and/or authentication of the device may be based on non-biometric security factors.
  • biometric device is used throughout this description even though some wearable devices may be arranged to omit biometric features for authentication and/or preauthorization.
  • each block of the flowchart illustration, and combinations of blocks in the flowchart illustration may be implemented by computer program instructions.
  • These program instructions may be provided to a processor to produce a machine, such that the instructions, which execute on the processor, create means for implementing the actions specified in the flowchart block or blocks.
  • the computer program instructions may be executed by a processor to cause a series of operational steps to be performed by the processor to produce a computer-implemented process such that the instructions, which execute on the processor to provide steps for implementing the actions specified in the flowchart block or blocks.
  • the computer program instructions may also cause at least some of the operational steps shown in the blocks of the flowchart to be performed in parallel.
  • program instructions may be stored on some type of machine readable storage media, such as processor readable non-transitive storage media, or the like. Moreover, some of the steps may also be performed across more than one processor, such as might arise in a multi-processor computer system. In addition, one or more blocks or combinations of blocks in the flowchart illustration may also be performed concurrently with other blocks or combinations of blocks, or even in a different sequence than illustrated without departing from the general scope or spirit of the present disclosure.
  • blocks of the flowchart illustration support combinations of means for performing the specified actions, combinations of steps for performing the specified actions and program instruction means for performing the specified actions. It will also be understood that each block of the flowchart illustration, and combinations of blocks in the flowchart illustration, may be implemented by special purpose hardware-based systems, which perform the specified actions or steps, or combinations of special purpose hardware and computer instructions.
  • special purpose hardware-based systems which perform the specified actions or steps, or combinations of special purpose hardware and computer instructions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Divers modes de réalisation de l'invention concernent un système et un procédé d'inscription de certificat numérique, ainsi qu'un système de gestion de mot de passe de défi et un procédé associé. Dans un mode de réalisation, un processus frontal d'inscription de certificat numérique peut être exécuté numériquement par un ou plusieurs processeurs de données numériques de façon à inscrire un certificat numérique relatif à un dispositif de réseau au moyen d'une autorité de certification (CA) correspondante. À titre d'exemple, un tel processus comprend les étapes consistant à : demander un mot de passe de défi au nom du dispositif de réseau ; fournir au dispositif de réseau un accès sécurisé au mot de passe de défi ; obtenir une demande de certification signée provenant du dispositif de réseau et contenant le mot de passe de défi ; émettre une demande d'inscription de certificat contenant le mot de passe de défi au nom du dispositif de réseau de façon à appeler une émission du certificat numérique d'utilisateur par la CA ; et relayer le certificat numérique au dispositif de réseau.
PCT/CA2019/051022 2018-10-25 2019-07-24 Système et procédé d'inscription de certificat numérique, système de gestion de mot de passe de défi et procédé associé WO2020082164A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CA3,022,109 2018-10-25
CA3022109A CA3022109A1 (fr) 2018-10-25 2018-10-25 Systeme et procede d`inscription de certificats numerique, et systeme et procede de gestion des mots de passe challenge de celui-ci

Publications (1)

Publication Number Publication Date
WO2020082164A1 true WO2020082164A1 (fr) 2020-04-30

Family

ID=70329716

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2019/051022 WO2020082164A1 (fr) 2018-10-25 2019-07-24 Système et procédé d'inscription de certificat numérique, système de gestion de mot de passe de défi et procédé associé

Country Status (2)

Country Link
CA (1) CA3022109A1 (fr)
WO (1) WO2020082164A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112612721A (zh) * 2021-01-13 2021-04-06 四川酷比通信设备有限公司 终端指纹识别功能的测试方法、系统、设备及存储介质
WO2022119633A1 (fr) * 2019-12-06 2022-06-09 Ismail Jibrin Système, procédé et dispositif de vérification de la vitalité au moyen d'un mot de passe biométrique à usage unique
CN114731280A (zh) * 2022-02-25 2022-07-08 百果园技术(新加坡)有限公司 身份认证方法、装置、终端、存储介质及程序产品
WO2022159692A1 (fr) * 2021-01-22 2022-07-28 Orchid Sound Technologies LLC Système avec capteur à ultrasons
WO2023076933A1 (fr) * 2021-10-27 2023-05-04 Verifone, Inc. Systèmes et procédés d'appariement d'un dispositif de commande de site à des dispositifs de point de vente

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113791872B (zh) * 2021-11-11 2022-03-22 北京信安世纪科技股份有限公司 基于云计算的认证方法及系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8522035B2 (en) * 2011-09-20 2013-08-27 Blackberry Limited Assisted certificate enrollment
US20170288883A1 (en) * 2016-03-30 2017-10-05 Airwatch Llc Certificate distribution using derived credentials

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8522035B2 (en) * 2011-09-20 2013-08-27 Blackberry Limited Assisted certificate enrollment
US20170288883A1 (en) * 2016-03-30 2017-10-05 Airwatch Llc Certificate distribution using derived credentials

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
EK CHO, CERTIFICATE-BASED AUTHENTICATION AND SCEP, 27 August 2015 (2015-08-27), Retrieved from the Internet <URL:https://devbloe.blackberrv.com/en/2015/08/certificate-based-authentication-and-scep> [retrieved on 20191004] *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022119633A1 (fr) * 2019-12-06 2022-06-09 Ismail Jibrin Système, procédé et dispositif de vérification de la vitalité au moyen d'un mot de passe biométrique à usage unique
CN112612721A (zh) * 2021-01-13 2021-04-06 四川酷比通信设备有限公司 终端指纹识别功能的测试方法、系统、设备及存储介质
CN112612721B (zh) * 2021-01-13 2024-04-23 四川酷比通信设备有限公司 终端指纹识别功能的测试方法、系统、设备及存储介质
WO2022159692A1 (fr) * 2021-01-22 2022-07-28 Orchid Sound Technologies LLC Système avec capteur à ultrasons
WO2023076933A1 (fr) * 2021-10-27 2023-05-04 Verifone, Inc. Systèmes et procédés d'appariement d'un dispositif de commande de site à des dispositifs de point de vente
CN114731280A (zh) * 2022-02-25 2022-07-08 百果园技术(新加坡)有限公司 身份认证方法、装置、终端、存储介质及程序产品
CN114731280B (zh) * 2022-02-25 2024-02-09 百果园技术(新加坡)有限公司 身份认证方法、装置、终端及存储介质

Also Published As

Publication number Publication date
CA3022109A1 (fr) 2020-04-25

Similar Documents

Publication Publication Date Title
US11720656B2 (en) Live user authentication device, system and method
US11451536B2 (en) User state monitoring system and method using motion, and a user access authorization system and method employing same
US9349235B2 (en) Preauthorized wearable biometric device, system and method for use thereof
US20240098491A1 (en) Cryptographic process for portable devices, and user presence and/or access authorization system and method employing same
WO2020082164A1 (fr) Système et procédé d&#39;inscription de certificat numérique, système de gestion de mot de passe de défi et procédé associé
US9197414B1 (en) Cryptographic protocol for portable devices
US9032501B1 (en) Cryptographic protocol for portable devices
US20220229895A1 (en) Live user authentication device, system and method and fraud or collusion prevention using same
US20140380445A1 (en) Universal Authentication and Data Exchange Method, System and Service
US11605255B2 (en) User activity-related monitoring system and method, and a user access authorization system and method employing same
EP3076585A1 (fr) Protocole cryptographique pour dispositifs portables
Acar Privacy-aware Security Applications in the Era of Internet of Things

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19876681

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19876681

Country of ref document: EP

Kind code of ref document: A1